Conti ransomware got its own website for stolen data

Bleeping Computer journalists noticed that another ransomware group has launched its own website for stolen data from hacked companies that refuse to pay the ransom. The Conti ransomware, which many information security specialists consider the “successor” of the well-known ransomware Ryuk, has acquired its own website for leaked data.

Conti is a relatively new private Ransomware-as-a-Service (RaaS) that has recruited experienced hackers to distribute the ransomware in exchange for a large share of the ransom pay.

Submissions to ransomware identification site ID Ransomware also show the increased activity of Conti ransomware since June 15th.

“Since July 2020, Ryuk is no longer being deployed, and in its place, the TrickBot-linked operators, are now deploying the Conti ransomware”, — argues Vitali Kremez from Advanced Intel.

Nowadays, many ransomware operators often practice the so-called “double extortion”. For example, attackers demand a ransom from companies directly for decrypting the affected data, but before starting encryption, they also steal confidential information, and then threaten to publish it to the public if the victim does not pay a second ransom.

A notable example of such a double ransom attack is the recent incident at the University of Utah.The educational institution practically was not affected by the ransomware attack itself, but it was still forced to pay the criminals $457,000, as they threatened to disclose the personal data of the students that was stolen during the attack.

This tactic has been used by ransomware since 2019, and the operators of the ransomware Maze were the first to launch the site for leaked data. Other factions soon followed suit, including Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Mespinoza (Pysa), Nefilim, NetWalker, RagnarLocker, REvil (Sodinokibi), and Sekhmet.

Now this list has been joined by the Conti ransomware, which appeared relatively recently. The group’s website has already listed 26 victim companies, many of which are very large and well-known.

For each victim, hackers create a separate page containing samples of stolen data.

Previously, the operators of this ransomware included only a message stating that the victim’s data was encrypted and provided two email addresses to contact them.