Prodraft Researchers Identify a Conti Server

Industry: N/A | Level: Strategic | Source: TheRecord

Researchers at Prodaft were able to identify an exposed server associated with the Conti ransomware gang. The server is used for payment or site recovery victim visit to negotiate ransom payments. Researchers were able to maintain access to the server for several weeks observing network traffic connecting to the server. The traffic was largely victim IP addresses, but observed SSH traffic was likely the ransomware operators. Unfortunately, the SSH IP addresses were associated with Tor exit nodes. When Prodaft published their report of this activity, the ransomware gang was immediately aware and took the server offline.