Researchers at security firm Prodaft were able to identify the real IP address of one of the servers used by the Conti ransomware group and access the console for more than a month. The exposed server was hosting the payment portal used by the gang for ransom negotiation with he victims.
“The PTI team accessed Conti’s infrastructure and identified the real IP addresses of the servers in question.” reads the report published by the experts. “Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website”
The experts launched an investigation into the activity of the group with the intent of unmask the Conti affiliates, retailers, developers and servers.
The researchers were able to unmask the real IP address of Conti’s TOR hidden service and contirecovery.ws and 220.127.116.11. The latter is an IP address owned by Ukrainian web hosting company ITL LLC.
Prodaft researchers were able to compromise the server and monitor network traffic for incoming connections, including SSH connections used by Conti members to access the server.
However, the IP addresses associated with SSH connections belonged to Tor exit nodes used by Conti operators to hide their identity.
The experts were also able to determine the OS of the server behind the hidden service, a Debian distro with hostname ”dedic-cuprum-617836”. Experts speculate the numeric value in the hostname is an invoice number for the server, assigned by the hosting company ITLDC.
Linux version 4.9.0-16-amd64 (Debian 6.3.0-18deb9u1) #1 SMP Debian 4.9.272-2 (2021-07-19)
18.104.22.168 dedic-cuprum-617836.hosted-by-itldc.com dedic-cuprum-617836
The security firm shared its findings with law enforcement authorities.
The experts also shared the contents of htpasswd file of the subject host that can be used in future investigations on the Conti operations.
The PTI team was also able to discover multiple victim chat sessions and captured login credentials for MEGA accounts used while contacting the victims. Experts were able to discover the connecting IP addresses, dates, the purchase method, and the software used for accessing the file sharing and upload service.
After the publishing of the report, the Conti operators have taken their payment portal offline, MalwareHunterTeam researchers confirmed.
(SecurityAffairs – hacking, Operation Cyclone)