The Conti ransomware group has suffered an embarrassing data breach after a security firm was able to identify the real IP address of one of its most sensitive servers and then gain console access to the affected system for more than a month.
The exposed server, called a payment portal or recovery site, is where the Conti gang tells victims to visit in order to negotiate ransom payments.
“Our team detected a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to discover the real IP addresses of the hidden service hosting the group’s recovery website,” Swiss security firm Prodaft said in a 37-page report published on Thursday, identifying the server as hosted on 217.12.204.135, an IP address owned by Ukrainian web hosting company ITL LLC.