On 5th of August 2021, the playbook and training material of Conti ransomware gang were leaked on a popular Russian-speaking hacking forum site by an upset Conti affiliate. As the Conti Ransomware gang run their operations as a ransomware-as-a-service (RaaS), they recruit affiliates who they train to perform the ransomware attack. This model of operations means that the core team member earns about 20-30% of a ransom payment, while the affiliates earn the rest.
Although this affiliate publicly leaked information about the ransomware operations which included the IP addresses for Cobalt Strike C2 servers and a 113 MB archive containing numerous tools and training material for conducting ransomware attacks as they were angry about being paid only $1,500 as part of an attack, while the rest of the team are making millions and promising big pay-outs after a victim pays a ransom.
“I merge you their ip-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays,”
Cyber security researchers have already analysed the archive that contained a manual on deploying Cobalt Strike, mimikatz to dump NTLM hashes, and numerous other text files filled with various commands. They have confirmed that based on current and past Conti ransomware incidents that the leaked information matches the current operations of Conti and therefore is a very useful resource to use against Conti ransomware attacks.
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.