A seemingly vengeful affiliate of the Conti Gang has leaked the playbook of the ransomware group after alleging that the notorious cyber-criminal organisation underpaid him for doing its work.
The data includes IP addresses for Cobalt Strike C2 servers as well as an archive including numerous tools & training materials for the group, revealing how it performs attacks.
Ransomware Developer
A security researcher shared a comment from an online forum allegedly posted by someone who did business with Conti that included information integral to its ransomware-as-as-service (RaaS) operation, according to a report.
RaaS is a model in which an experienced ransomware developer creates & manages all the tools & infrastructure needed to perform attacks, while recruited affiliates do the actual work. Usually, they agree to be paid a percentage — typically 20-30% of the ransom earned.
Holy Grail
Apparently, the group didn’t pay a disgruntled affiliate as much as expected, leading to an online rant & a leak of key data representing “the holy grail of the pen-tester operation behind the Conti ransomware ‘pen-tester’ team from A-Z,” ethical hacker & Security Researcher Vitali Kremez stated, according to the report.
Data revealed by the post included the IP addresses for the group’s Cobalt Strike command-&-control servers (C2s) & a 113mb archive that contains numerous tools & training material for how Conti performs ransomware attacks, according to the report, which was later verified by Kremez on Twitter.
The affiliate claimed he received only $1,500 for his work, grumbling that “they recruit suckers & divide the money among themselves.”
Defend Your Networks from Conti
Based on the leaked playbook, Kremez tweeted a warning for network administrators looking for Conti activity to “scan for unauthorised Atera Agent installations & Any Desk persistence:”
Kremez also told Bleeping Computer that the playbook “matches the active cases for Conti as we see right now.”
Another security researcher, who goes by @Pancak3 on Twitter, advised everyone in a tweet to block several IP addresses to avoid attacks by the group, which were revealed in the data as ones being used by Conti:
Ransomware Rising
While the leak is a blow to the activities of the Conti operators, it also provides other threat actors tools they need to build up skills to conduct attacks of their own, Kremez told Bleeping Computer.
“The implications are huge & allow new pen-tester ransomware operators to level up their pen-tester skills for ransomware, step-by-step,” he explained, according to the report.
International Authorities
Overall, ransomware gangs have been on the run lately, with mounting pressures & crackdowns from international authorities that already have led to the shutdown of some key players, including REvil & DarkSide.
Meanwhile, new threat groups that may or may not have spawned from the previous ranks of these cybercriminal organisations are sliding in to fill the gaps they left.
Haron & Black Matter are among those that have emerged recently with intent to use ransomware to target large organisations that can pay million-dollar ransoms to fill their pockets.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
