The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.
The angry affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.
Threat intelligence expert Niels Groeneveld provided leak Conti ransomware operations
Individual IP addresses used by Conti, according to the leaked documentation:
Probably the threat actors will already have changed these individual indicators; to threaten them as individual IOC’s might be 100% pointless. However, the threat actors might continue, to use the same infrastructure.
18.104.22.168/22 – Data Room
22.214.171.124/20 – Heg Mass
126.96.36.199/24 – RedCluster LTD
188.8.131.52/23 – RedCluster LTD
184.108.40.206/22 – GreenFloid NOC
For most organizations, the chance of false positives, when blocking these subnets, will be very low to non-existent. If you are in doubt, check the subnets on https://bgp.he.net and look at known DNS entries to get an idea.
If you want to extend your blocking further, look at the BGP AS associated to these subnets; and subsequently, check the prefixes listed for associated subnets.
Data Room https://bgp.he.net/AS19624#_prefixes
ITL Bulgaria https://bgp.he.net/AS204957#_prefixes
Blocking individual IP addresses does not make much sense when fighting against professional ransomware or APT actors. Looking at their infrastructures, other story?
About the author Niels Groeneveld
A threat researcher of the Digital Protection Unit, at Tesorion Cybersecurity Solutions, he worked for RedSocks/Bitdefender as senior threat intelligence analyst from 2014-2020, analyzing malicious malware infrastructure, used by ransomware groups, APT groups and other threat actors.’
(SecurityAffairs – hacking, Conti ransomware)