Conti ransomware ตกเป็นเหยื่อของข้อมูลรั่วไหล

Even operators of the Conti ransomware fell victim to a data leak: the Swiss cybersecurity company Prodaft was able to determine the real IP address of one of the group’s servers and remained in the system for more than a month.

The affected server was the group’s payment portal (or so-calledrecovery server”) to which hackers invited their victims to negotiate a ransom. The server was hosted by the Ukrainian hotser ITL LLC and located at the IP address 217.12.204.135.

Our team discovered a vulnerability in the recovery servers that Conti uses and exploited the vulnerability to discover the real IP addresses of the hidden service where the site was hosted.says the Prodaft รายงาน.

The researchers kept access to the server for several weeks and monitored all network traffic and IP addresses. While some of the addresses belonged to the victims and their intermediaries, Prodaft also tracked SSH connections that most likely belonged to the hackers themselves. Alas, all SSH IP addresses were associated with the Tor exit nodes, นั่นคือ, it was not possible to use them to identify members of the hack group.

Conti Server

The researchersreport also provided other valuable information, including information about the OS of the Conti server and the htpasswd file, which contained a hashed version of the server password. Prodaft emphasizes that it has shared all of its findings with law enforcement, and some details are kept secret to give law enforcement time to take action.

The publication of the report did not went unnoticed not only among information security experts, but also among the hackers themselves. The point is, leaking the server’s IP address and hashed password would potentially open the server up to competing hack groups. As a result, within a few hours after the publication of the report, MalwareHunterTeam researchers noticed that Conti had shut down its payment portal. The sudden server downtime made it impossible for Conti’s recent victims to contact the hackers and pay the ever-increasing ransom.

As a result, Conti payment portal returned online more than 24 hours after the shutdown, and an angry message appeared on the blog of the hack group, which says thatEuropeans seem to have decided to forget about their manners and behaved like bullies trying to hack our systems.

The hackers also denied Prodaft’s assertion made last week: researchers wrote that since July 2021, the ransomware “ได้รับ” about $ 25.5 ล้าน. Conti’s operators said they actually made more than $ 300,000,000 in profits. อย่างไรก็ตาม, this is most likely just bragging, which attackers use to promote themselves and increase the profitability of their attacks.

น่าสนใจ, some experts have already criticized Prodaft for publicly disclosing information, which only led to Conti tightening the security of its servers.

ฉันขอเตือนคุณว่าเราเขียนอย่างนั้นเช่นกัน Hive ransomware infected MediaMarkt and its operators demand $ 240 ล้าน.

เฮลก้า สมิธ

ฉันสนใจวิทยาการคอมพิวเตอร์มาโดยตลอด, โดยเฉพาะความปลอดภัยของข้อมูลและธีม, ซึ่งเรียกกันในปัจจุบันว่า "วิทยาศาสตร์ข้อมูล", ตั้งแต่วัยรุ่นตอนต้นของฉัน. ก่อนจะมาอยู่ในทีมกำจัดไวรัสในตำแหน่งหัวหน้าบรรณาธิการ, ฉันทำงานเป็นผู้เชี่ยวชาญด้านความปลอดภัยทางไซเบอร์ในหลายบริษัท, รวมถึงหนึ่งในผู้รับเหมาของ Amazon. ประสบการณ์อื่น: ฉันได้สอนในมหาวิทยาลัยอาร์เดนและรีดดิ้ง.

ทิ้งคำตอบไว้

เว็บไซต์นี้ใช้ Akismet เพื่อลดสแปม. เรียนรู้วิธีประมวลผลข้อมูลความคิดเห็นของคุณ.

ปุ่มกลับไปด้านบน