Leaked details include the server’s IP address and its hashed password. This led Conti ransomware to take the server offline for more than a day, and come back with a notice, explaining the situation.
Leaking a Ransomware’s Identity
Prodaft, a swiss security firm has published a long report detailing their findings regarding the Conti ransomware group. The firm’s researchers have leveraged a bug in one of the servers of Conti ransomware, to leak details regarding their identity. Also Read- Best Free Anti-Ransomware Tools The vulnerable server was hosting the gang’s payment portal, through which Conti asks its victims to approach ransom negotiations and decryption keys. Prodaft identified that the server was bearing the IP address of 217.12.204.135, hosted by ITL LLC, a Ukrainian web hosting company. Aside from the IP address, researchers have monitored the traffic of the server, by maintaining access to it for weeks! While some were identified as victims, some SSH connections depicted Conti members accessing the server at times. But since the SSH connections belonged only to Tor exit nodes, researchers were unable to find the real identities of Conti members. Yet, they have obtained the hashed password of this server, and the OS it was running on it.
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) November 19, 2021 All these findings were published by Prodaft, to which they were soon criticized by the community for letting such details public. Conti ransomware has soon picked up on this and took their server offline. And after 24 hours, they were back up again and posted a note explaining the breach. While they assured its affiliates not to worry, Prodaft on the other hand shared this information with law enforcement for further legal action.