An angry and unhappy affiliate of the Conti ransomware gang has leaked some sensitive information about the group after some financial conflicts. The files were uploaded on an underground forum named XSS and contain details about tools and tactics used by Conti.

What was discovered

An individual actor, an affiliate of the Conti group’s RaaS operations, apparently had some issues related to the distribution of ransom money. A small payment of $1,500 turned out to be the bone of contention and the actor leaked the details online as a sort of vengeance.
  • The leaked data includes screenshots of the IP addresses that are used by the Conti gang for hosting its Cobalt Strike C2 server. These servers are used by the affiliates to access the targeted company networks.
  • The actor also posted a 113MB RAR archive - Manuals for hard workers and software.rar. The archive contains 37 text files with instructions and training materials provided for carrying out attacks.
  • The leaked information includes how-to guides for configuration and usage of tools, such as Rclone, AnyDesk, NetScan, Metasploit, and Ngrok. It also contains instructions and procedures for SMB brute-force attacks, Zerologon exploit attacks, and Kerberoasting attacks, among others.

The leaked information is said to be the holy grail of the penetration testing team working behind the Conti gang, providing step-by-step instructions to sharpen the attack skills of any new ransomware operator.

Recent attacks

In the past few months, the Conti gang and its affiliates have been wreaking havoc, targeting several organizations across the globe.
  • In June, the gang claimed that it had stolen more than 4,000 digital files from the Scottish Environment Protection Agency (Sepa), impacting its major services.
  • Around the same time, the FBI had linked more than 16 ransomware attacks to the Conti gang, which was targeting healthcare and first responder networks in the U.S.

Ending notes

On one hand, this leak has revealed the ways in which Conti operates its RaaS business maturely, providing ample tools and training for novice criminals. On the other hand, it also highlights the vulnerabilities in RaaS businesses, where one unhappy affiliate could expose all the resources and secrets of an entire ransomware operation.

Cyware Publisher