[TheRecord] Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals

A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files.

Leaked on an underground cybercrime forum named XSS earlier today, the files were shared by an individual who appears to have had an issue with the low amount of money the Conti gang was paying them to breach corporate networks.

Image: The Record
Image: The Record

In messages spammed across the forum, the individual shared screenshots of IP addresses where the Conti gang hosts Cobalt Strike command-and-control servers, which Conti affiliate members use to access hacked company networks.

🤫 go block these 🤫
162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1

— pancak3 (@pancak3lullz) August 5, 2021

In addition, the individual also published a RAR archive named “Мануали для работяг и софт.rar,” which roughly translates to “Manuals for hard workers and software.rar.”

This archive contains 37 text files with instructions on how to use various hacking tools and even legitimate software during a network intrusion.

For example, the leaked manuals contain guides on how to:

configure the Rclone software with a MEGA account for data exfiltrationconfigure the AnyDesk software as a persistence and remote access solution into a victim’s network [a known Conti tactic]configure and use the Cobalt Strike agentuse the NetScan tool to scan internal networksinstall the Metasploit pen-testing framework on a virtual private server (VPS)connect to hacked networks via RDP using a Ngrok secure tunnelelevate and gain admin rights inside a company’s hacked networktake over domain controllersdump passwords from Active Directories (NTDS dumping)perform SMB brute-force attacksbrute-force routers, NAS devices, and security camerasuse the ZeroLogon exploitperform a Kerberoasting attackdisable Windows Defender protectionsdelete shadow volume copieshow affiliates can configure their own operating systems to use the Tor anonymity network, and more

Image: The Record

Leaks from Ransomware-as-a-Service (RaaS) operations are extremely rare; however, the data shared today isn’t anything that security researchers would describe as groundbreaking.

The leaked files contain guides for basic offensive tactics and techniques that the Conti and other ransomware gangs have used during previous intrusions for years.

However, the leak will help some security firms put together stronger defensive playbooks that they can recommend to their customers in order to improve their ability to detect Conti intrusions—now knowing exactly what operations Conti affiliates might execute.

The post Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Microsoft takes down domains used to scam Office 365 users

Microsoft’s Digital Crimes Unit (DCU) has seized 17 malicious domains used by scammers in a business email compromise (BEC) campaign targeting the company’s customers. […] Source: Read More (BleepingComputer)

Read More

Daily NCSC-FI news followup 2020-09-10

Viranomainen varoittaa huijausviestistä – varo tätä sähköpostia www.is.fi/digitoday/tietoturva/art-2000006630773.html Apple ID -tunnusten kalastelu on nyt aktiivista. Huijauksen mukaan vastaanottajan Apple ID:tä olisi käytetty luvattomasti muualla Applen iCloud-palveluun kirjautumiseksi. Tämän väitetään tapahtuneen Moskovasta käsin. Mukana on keinotekoinen ip-osoite sekä päivämäärä ja kellonaika. Ne saattavat vaihdella viestistä toiseen. Katso myös meidän twiitti: https://twitter.com/CERTFI/status/1303604786361774080 Ransomware accounted for 41% of […]

Read More

Daily NCSC-FI news followup 2021-07-01

NSA, CISA, NCSC, FBI: Russian military cyber-unit Fancy Bear (APT28) behind large-scale brute-force attacks therecord.media/fbi-nsa-russian-military-cyber-unit-behind-large-scale-brute-force-attacks/ US and UK cybersecurity agencies said today that a Russian military cyber unit has been behind a series of brute-force attacks that have targeted the cloud IT resources of government and private sector companies across the world. Direct link to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.