Conti Leak Indicators – What to block, in your SOC….

August 6, 2021  By Pierluigi Paganini


Security expert provided leak indicators for Conti ransomware operations that were recently disclosed by a disgruntled affiliate.

An affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.

The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.

The angry affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

Threat intelligence expert Niels Groeneveld provided leak Conti ransomware operations

Individual IP addresses used by Conti, according to the leaked documentation:

  • 162.244.80.235
  • 85.93.88.165
  • 185.141.63.120
  • 82.118.21.1

Probably the threat actors will already have changed these individual indicators; to threaten them as individual IOC’s might be 100% pointless. However, the threat actors might continue, to use the same infrastructure.

162.244.80.0/22 – Data Room

85.93.80.0/20 – Heg Mass

185.141.61.0/24 – RedCluster LTD

185.141.62.0/23 – RedCluster LTD

82.118.20.0/22 – GreenFloid NOC

For most organizations, the chance of false positives, when blocking these subnets, will be very low to non-existent. If you are in doubt, check the subnets on https://bgp.he.net and look at known DNS entries to get an idea.

If you want to extend your blocking further, look at the BGP AS associated to these subnets; and subsequently, check the prefixes listed for associated subnets.

Data Room https://bgp.he.net/AS19624#_prefixes

PlusServer https://bgp.he.net/AS61157#_prefixes

BelCloud https://bgp.he.net/AS44901#_prefixes

ITL Bulgaria https://bgp.he.net/AS204957#_prefixes

Blocking individual IP addresses does not make much sense when fighting against professional ransomware or APT actors. Looking at their infrastructures, other story?

About the author Niels Groeneveld

A threat researcher of the Digital Protection Unit, at Tesorion Cybersecurity Solutions, he worked for RedSocks/Bitdefender as senior threat intelligence analyst from 2014-2020, analyzing malicious malware infrastructure, used by ransomware groups, APT groups and other threat actors.’

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

VMware addresses critical flaws in its products

 VMware has addressed a critical vulnerability that affects multiple products that could be exploited to gain access to confidential...