Inadequate Payment Leads the Affiliate to Leak the Ransomware Gang's Technical Manual


A frustrated Conti affiliate revealed the gang's training material during attacks and released details on one of the administrators of ransomware. The document contains the Cobalt Strike C2 server IP addresses and the 113 MB archive with a wide variety of training tools for ransomware attacks. 

The Conti Ransomware business runs as "Ransomware-as-a-service" (RaaS), wherein the core group handles the virus as well as the Tor sites. It has been identified since 2020 as a ransomware program. 

Most ransomware of Conti is laid out straight by a hacker who has obtained an unsecured RDP port, using email phishing on the Internet over a worker's computer or used malware attachments, downloads, patch operations, or network access flaws. 

Recently published at an undercover cybercrime forum called the XSS, an individual who seemed to have had a problem with the minimal money paid by the Conti gang to infiltrate the corporate networks, revealed their documents. These files have been uploaded on a forum of Russian speaking cybercrime practitioners, which contains many instruction manuals, reportedly from Conti, a Russian speaking group of hackers who have attacked several healthcare facilities, which include health chains in the U.S. and the national system of Ireland, the Health Service Executive. 

The main team will get 20-30 percent of the ransom payment under this model, whereas the associates would earn the balance. The affiliate also said he had shared the information since he had been only paid $1,500 in an operation while the rest of the gang make millions and promise enormous payments after a victim pays the ransom. 

In one of the step-by-step tutorials published in Russian, the participants are told to locate and hack the victims using a malware identified as Cobalt Strike. The instruction states that the first stage is to use Google to look for possible revenues for a target company. Hackers are then directed to locate staff accounts that have administrative access for the firm and how to use this knowledge to apply ransomware to encrypt their network interface to demand ransom for its decryption 

"The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous, and experienced they are while targeting corporations worldwide," says Advanced Intel's Vitali Kremez, who had already analyzed the archive. "It also provides a plethora detection opportunity including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections."