Ransomware Accounts leaks: the content

The data breach, which has affected the group ransomware Accounts, seen from the inside.

I wrote today on CyberSecurity360 what happened to the group of ransomware Accounts, as a result of their position in reference to the crisis in ukraine, siding, as expected, in support of the Russian government.

A member of the group, Ukrainian, he wanted to distinguish, while turning against the group itself, exposing through a Twitter account, a series of internal files and reserved of the group. Private conversations from the Jabber server of the cyber gang, and important technical information on their operations.

Another leak during the war in the Ukraine, in the group of ransomware is Trickbot Leak.

The contents of the leak of Accounts ransomware

In this post, the purpose is to make known the content of these leaks. I set up an account dedicated to file sharing, and I will keep, making it available below, the content of what is being leaked.

In the gallery you can find the screenshots, but this is not the only. All other files are shared here. And inside you can also find the code of the locker-v2inside the source code of the decryptor.

The rest of the files leaked

The other files, that are not screenshots, they will be inserted as said, within this shared folder. There are no passwords for the extraction of the archives, the net of those listed below.

Share Dir: ufile.I/f/yredk

  • File: conti_locker_v2_zip Password: xxx (unknown yet, however, in the dir there is the code noLocker without the password, plus I added the new file conti_locker_unlock.zip containing the data of the original, but no password. Then the source code is available from the latter).

Update 20/03/22: Accounts v3

File: conti_v3.7z – Password: ВсеБудеУкраїна – the update includes the insertion in the folder of the latest version of the source code of the ransomware Accounts for the single download the link here. Instead, for the analysis of VirusTotalthis is the reference. Source Zer0DayLabbut I know that VX-Underground exposes the files in the archive, malware, without, however, the revelation of the password, useful for the extraction.

In this regard, I note that the focus in the consultation should be maximum because by extracting with this password, of course, all files are accessible on your computer. Between the source code file, there are both the encryptor and the decryptor already compiled.exe), definitely dangerous for a use not responsible for it.

Conversations Accounts ransomware

For the monitoring of the files leaked regarding the log of conversations, chat, Jabber server, etc, predispongo folders on our GitHub repository. Text files and JSON, you can find them from this directory.

https://github.com/nuke86/inSicDig-data/tree/main/Leaks/Conti

Translation in English

A user volunteer, he has shared online translation of the logs of the conversations JSON leaked, and the link to this project on GitHub, has been updated, so now you can find the folder original with the file in Russian and the folder EN with the translated files from the user.

Updates

02/03/2022: Added the file to the root Dir (conti_locker_unlock.zip) containing conti_locker_v2.zipwithout password. The source code of the locker Conti ransomware. Download Here.

02/03/2022: Added JSON translation logs in English.

01/03/2022The group Accounts continued to lose data in direct. The member contrary to their policy, pro-Russia, continues to do damage, yet having access to their infrastructure. Has not been identified, or the branching is now untraceable. I think that the heart of this group, you can only go forward with the rebrand.

Dario Fadda

IT & Security blogger per passione. Nel 2003 ho fondato Spcnet.it. Dal 2006 sono membro attivo del Gulch (Gruppo Utenti Linux Cagliari). Oggi scrivo qui e nella pagina "La Stampa dice" trovate i miei contributi per le testate giornalistiche. Per tutto il resto c'è dariofadda.it che contiene "quasi" tutto di me.

6 thoughts on “Ransomware Conti leaks: il contenuto

    1. Grazie mille! Faccio notare però che la password indicata è esatta. Bisogna stare attenti a utilizzare il metodo di estrazione 7zip e non zip. Altrimenti non viene riconosciuta, in quanto in origine compresso proprio con 7zip

    1. I have updated the article, inserting a link that contains the file without a password, extract and riarchiviato from me. The link is next to the password.

    1. The file binman/docs are all in the GitHub repository, they should be the ones! In today's update, the file “conti_locker_unlock.zip” is the file conti_locker_v2.zip but without a password. The source code of the locker Accounts.

Want to comment on? Turn on the discussion

Back to top