{
	"id": "babd282e-3f72-4c44-bf1b-95e617aa1ea5",
	"created_at": "2026-04-06T01:29:06.419385Z",
	"updated_at": "2026-04-10T13:12:45.764975Z",
	"deleted_at": null,
	"sha1_hash": "16e80a11d7f86f1c4f18a918bc4854323d8c6fba",
	"title": "Conti Ransomware Decryptor, TrickBot Source Code Leaked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 221369,
	"plain_text": "Conti Ransomware Decryptor, TrickBot Source Code Leaked\r\nBy Lisa Vaas\r\nPublished: 2022-03-02 · Archived: 2026-04-06 01:24:54 UTC\r\nThe decryptor spilled by ContiLeaks won’t work with recent victims. Conti couldn’t care less: It’s still operating\r\njust fine. Still, the dump is a bouquet’s worth of intel.\r\nThe pro-Ukraine member of the Conti ransomware gang who promised to eviscerate the extortionists after they\r\npledged support for the Russian government has spilled yet more Conti guts: The latest dump includes source\r\ncode for Conti ransomware, TrickBot malware, a decryptor and the gang’s administrative panels, among other\r\ncore secrets.\r\nOn Monday, vx-underground – an internet collection of malware source code, samples and papers that’s generally\r\nconsidered to be a benign entity – shared on Twitter a message from a Conti member saying that “This is a\r\nfriendly heads-up that the Conti gang has just lost all their sh•t.”\r\nThe first of what ContiLeaks promised would be a series of “very interesting” leaks included 60,000 of the Conti\r\ngang’s internal chat messages.\r\nThe Conti Intel Treasure Trove\r\nThen, on Tuesday, ContiLeaks leaked even more of Conti’s common tactics, techniques and procedures (TTPs),\r\nwhich were shared by vx-underground.\r\nIn a Wednesday analysis, CyberArk researchers enumerated the leaked content and why it’s important. This intel\r\nis vital as Russian tanks roll through Ukraine and cyberattacks fly in support of either aiding the besieged country\r\nor tripping up the aggressor, CyberArk researchers asserted.\r\nIts analysis pointed to a cybersecurity bulletin issued jointly over the weekend by the Cybersecurity and\r\nInfrastructure Agency (CISA) and the FBI: an advisory that warned that Russia’s attack on Ukraine – which has\r\nincluded cyberattacks on Ukrainian government and critical infrastructure organizations – may spill over\r\nUkraine’s borders, particularly in the wake of sanctions imposed by the United States and its allies.\r\n“As cybersecurity researchers, we believe insight gained from these leaks is incredibly important to the\r\ncybersecurity community at large. Ongoing awareness and visibility into the leaked tools while supporting the\r\nneed for continued vigilance is critical during this time, and reinforced by [the CISA/FBI alert].”\r\nWhat’s in the Second Dump\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 1 of 6\n\nThe files shared by ContiLeaks have a slew of fresh meat, with some dated as recently as yesterday, March 1.\r\nContiLeaks’ data dump content as of March 1. Source: vx-underground.\r\nHere’s a selection of the repositories and what researchers can do with them:\r\nChats\r\nAs far as the leaked chats go, they span internal communications of the Conti gang between June and November\r\n2020. CyberArk noted that one user in particular “frequently spams all the other users.”\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 2 of 6\n\nThis can also be a useful tool for us to investigate since we can see maybe even all the usernames in one place,\r\nallowing us to enumerate all the people in the Conti group.\r\nThe chats will enable researchers to see a good chunk of Conti gang usernames in one place, researchers said,\r\n“allowing us to enumerate all the people in the Conti group.”\r\nAdmin Panel Code\r\nA quick look at the cache’s repositories led the researchers to surmise that most of the code Conti uses appears to\r\nbe open-source software. They pointed to two examples: the two PHP frameworks yii2 and Kohana, which are\r\n“used as part of (what seems to be) the admin panel,” they said.\r\n“The code is mostly written in PHP and is managed by Composer, with the exception of one repository of a tool\r\nwritten in Go,” they said. The repositories also contain some config files that list local database usernames and\r\npasswords, as well as a few public IP addresses.\r\nCredentials Ripped Off by Pony Malware\r\nThe Conti Pony Leak 2016 repository contains a collection of email accounts and passwords – including from\r\nmail services such as gmail.com, mail.ru and yahoo.com – that were apparently stolen from various sources by the\r\nPony credential-stealing malware: a credential stealer that, at least as of 2018, was crooks’ favorite stealer.\r\nIt also contains credentials from FTP/ RDP and SSH services, plus credentials from different websites.\r\nTTPs\r\nThe Conti Rocket Chat Leaks contains a chat history of Conti members swapping tips about targets and carrying\r\nout attacks via crooks’ favorite: Cobalt Strike, the legitimate, commercially available tool used by network\r\npenetration testers and by crooks to sniff out vulnerabilities.\r\nThe Conti gang chatters talked about these techniques:\r\nActive Directory Enumeration\r\nSQL Databases Enumeration via sqlcmd.\r\nHow to gain access to Shadow Protect SPX (StorageCraft) backups.\r\nHow to create NTDS dumps vs vssadmin\r\nHow to open New RDP Port 1350\r\nAnd these tools:\r\nCobalt Strike\r\nMetasploit\r\nPowerView\r\nShareFinder\r\nAnyDesk\r\nMimikatz\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 3 of 6\n\nConti Locker v2 \u0026 the Decryptor That Probably De-Won’t\r\nThe dump also contains the source code for Conti Locker v2, which was first leaked as a password-protected zip\r\nfile but then again without any password.\r\nBesides the source code for v2 of the ransomware encryption source code, the leak also contained source code for\r\nthe decryptor – a decryptor that reportedly won’t work, as pointed out on Twitter.\r\n“I had heard it’s not the latest version and does not work,” Marcus confirmed.\r\nThe released decryptor might be a version that Conti sends to victims who’ve paid the ransom, he suggested.\r\nDecryptors act kind of like unzipping a password-protected file, he suggested, except that they’re more complex,\r\ngiven that they vary by the ransomware family.\r\n“Some are built into a standalone binary, others can be remote-enabled. Usually they have keys built into them,”\r\nMarcus described.\r\nConti Training Materials\r\nThe leaked documents also contain training materials, including videos of online courses in Russian, as well as\r\nhow-tos about this list of TTPs:\r\nCracking\r\nMetasploit\r\nNetwork Pentesting\r\nCobalt Strike\r\nPowerShell for Pentesters\r\nWindows Red Teaming\r\nWMI Attacks (and Defenses)\r\nSQL Server\r\nActive Directory\r\nReverse Engineering\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 4 of 6\n\nConti training in Russia. Course: CyberArk.\r\nTrickBot Leaks\r\nOne of the leaked files is a dump of chats from the forums used by the operators of the TricKBot trojan/malware,\r\nspanning forum messages from 2019 until 2021.\r\nMost of the chats are about how to move laterally across networks and how to use certain tools, but CyberArk also\r\nfound out quite a bit about the TrickBot and Conti gang’s TTPs.\r\n“For instance in one of the correspondences a member shares his web shell of choice, ‘he lightest and most\r\ndurable webshell I use,'” researchers said.\r\nAlso included are evidence from early July 2021 that the group used exploits such as Zerologon: Not surprising,\r\ngiven that starting in September 2020, at least four public proof-of-concept (PoC) exploits for the flaw were\r\nreleased on Github, along with technical details of the vulnerability.\r\nOther TrickBot leaks include server-side components written in Erlang, a trickbot-command-dispatcher-backend\r\nand trickbot-data-collector-backend, dubbed lero and dero.\r\nThank heavens for the readable code, said one Twitter commenter: “That’s finally something worth reviewing\r\n(Conti Trickbot Leaks.7z file) – clean, reusable implementation in Erlang, better than several open source Erlang\r\nserver examples.”\r\nTrickBot Code Could Lead to … Better TrickBot\r\nWill the leak slow down TrickBot operators? Well, it didn’t actually have to, since the operators already seem to\r\nhave taken a few hits of Zanax.\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 5 of 6\n\nLast week, researchers at Intel 471 published a report about how the group behind the TrickBot malware is back\r\nafter an unusually long lull between campaigns. If not a full stop, they’ve been operating pretty languidly: from\r\nDec. 28, 2021 until Feb. 17, Intel 471 researchers hadn’t seen any new TrickBot campaigns.\r\nResearchers said at the time that the pause could be due to the TrickBot gang making an operational shift to focus\r\non partner malware, such as Emotet.\r\nThe ContiLeaks source code leak could, however, change the scene, and not for the better. David Marcus, senior\r\ndirector of threat intelligence at threat-intel security company LookingGlass, told Threatpost on Wednesday that\r\nthe leaks will have “a huge impact” long term as security researchers continue to research the fresh data. “The\r\namount we will learn about their tactics, code development, monetization efforts, potential members and such\r\ncannot be overstated,” he said via email.\r\nBut as far as the source code leak is concerned, that will be a double-edged sword, he cautioned. “It will benefit\r\nresearchers from a defensive point-of-view, as a better understanding of how TrickBot works will allow for better\r\ndefensive measures,” he said. “The flip side of that is that it will also allow for more TrickBot development by\r\nmore malware writers.”\r\nConti Couldn’t Care Less\r\nAs far as the leak of Conti code goes, it would be nice to think that the gang’s operators were howling in pain at\r\nthe disclosures, but that’s not exactly what’s happening.\r\nYelisey Boguslavskiy, head of research at the threat intel firm Advanced Intelligence (AdvInt), told Threatpost on\r\nWednesday that none of the firm’s primary source intel demonstrates that this will affect Conti.\r\n“The leak was related to only one group out of six, and even though this group was likely the most important one,\r\nthe rest of the teams were not impacted at all,” he explained. “Conti relaunched all of its infrastructural capacities\r\nand keep operating.”\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nhttps://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/"
	],
	"report_names": [
		"178727"
	],
	"threat_actors": [],
	"ts_created_at": 1775438946,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16e80a11d7f86f1c4f18a918bc4854323d8c6fba.pdf",
		"text": "https://archive.orkl.eu/16e80a11d7f86f1c4f18a918bc4854323d8c6fba.txt",
		"img": "https://archive.orkl.eu/16e80a11d7f86f1c4f18a918bc4854323d8c6fba.jpg"
	}
}