Annoyed member of Conti ransomware gang leaks insider information on Russian-speaking hacking forum
The angry affiliate says they are underpaid for the work
A disgruntled affiliate of the Conti ransomware service has leaked inside information about the group, including multiple tools and instruction manuals allegedly used by operatives to conduct ransomware attacks.
The details were leaked on a popular Russian-speaking hacking forum after Conti's operatives denied the hacker their expected share of ransomware revenues.
The angry affiliate said in the post that they received only $1,500 for the work, while recruiters divided the money among themselves.
The Conti ransomware group offers ransomware-as-a-service (RaaS), providing back-end infrastructure such as command servers and malware, which are then used by affiliates to launch actual cyber attacks against potential targets.
In April, Conti operatives targeted the Irish Health Service (HSE) network in a major ransomware attack. After the HSE refused to pay the ransom to the group, the hackers started posting patients' medical and personal details online. FBI said in May that the Conti operatives had targeted at least 16 healthcare and first response organisations in the US over the past 12 months.
The group's affiliates usually keep 70 to 80 per cent of a ransom payment, while Conti keeps the remainder.
Last week, an anonymous source shared with Bleeping Computer details of a hacking forum post that was created by a disgruntled Conti affiliate and which contained information about the ransomware operation.
This information included a 113 MB archive containing numerous tools and training material for conducting ransomware attacks and the IP addresses for Cobalt Strike C2 servers.
"I merge you their ip-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays," the affiliate stated in the post.
One instruction manual, written in Russian, instructs members how they can identify and hack victims using Cobalt Strike. It tells affiliates to use Google to search for the revenue of the potential target and then find employee accounts with admin privileges.
The guide then explains how that information can be used to deploy ransomware to encrypt the entire network of the company.
In a subsequent post on the forum, the hacker shared another archive containing 111 MB of files.
Advanced Intel's Vitali Kremez, who analysed the archive, told Bleeping Computer that the playbook "matches the active cases for Conti as we see right now".
Another security researcher, who goes by @Pancak3 on Twitter, advised people to block some IP addresses used in attacks from the Conti group.
The leak of Conti tools and training material has come amid a recent spate of ransomware attacks against American entities.
In May, US fuel distributor Colonial Pipeline suffered a massive ransomware attack that crippled fuel delivery in southeastern US states.
In June, Brazil-based JBS, the world's largest meat-packer by sales, paid $11 million in ransom after a massive attack targeting its computer systems in the US and Australia. Florida-based IT firm Kaseya also suffered a ransomware attack on 2nd July, suspected to be the work of the Russia-based REvil.
Following the Kaseya attack, White House press secretary Jen Psaki said that President Biden was considering all options for how to respond to ransomware attacks targeting US organisations.
Last month, the US State Department announced a reward of up to $10 million for information that could help identify or locate cyber actors that are working at the direction of a foreign government and targeting critical infrastructure in the US.