Conti Leak Indicators – What to block, in your SOC….

Security expert provided leak indicators for Conti ransomware operations that were recently disclosed by a disgruntled affiliate.

An affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.

The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.

The angry affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

Threat intelligence expert Niels Groeneveld provided leak Conti ransomware operations

Individual IP addresses used by Conti, according to the leaked documentation:

• 162.244.80.235
• 85.93.88.165
• 185.141.63.120
• 82.118.21.1

Probably the threat actors will already have changed these individual indicators; to threaten them as individual IOC’s might be 100% pointless. However, the threat actors might continue, to use the same infrastructure.

162.244.80.0/22 – Data Room

85.93.80.0/20 – Heg Mass

185.141.61.0/24 – RedCluster LTD

185.141.62.0/23 – RedCluster LTD

82.118.20.0/22 – GreenFloid NOC

For most organizations, the chance of false positives, when blocking these subnets, will be very low to non-existent. If you are in doubt, check the subnets on https://bgp.he.net and look at known DNS entries to get an idea.

If you want to extend your blocking further, look at the BGP AS associated to these subnets; and subsequently, check the prefixes listed for associated subnets.

Data Room https://bgp.he.net/AS19624#_prefixes

PlusServer https://bgp.he.net/AS61157#_prefixes

BelCloud https://bgp.he.net/AS44901#_prefixes

ITL Bulgaria https://bgp.he.net/AS204957#_prefixes

Blocking individual IP addresses does not make much sense when fighting against professional ransomware or APT actors. Looking at their infrastructures, other story?

About the author Niels Groeneveld

A threat researcher of the Digital Protection Unit, at Tesorion Cybersecurity Solutions, he worked for RedSocks/Bitdefender as senior threat intelligence analyst from 2014-2020, analyzing malicious malware infrastructure, used by ransomware groups, APT groups and other threat actors.’

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]