A disgruntled Conti affiliate has leaked the gang’s training material when conducting attacks, which also includes information about one of the ransomware’s operators.
The Conti Ransomware operation does ransomware-as-a-service (RaaS), where the core team manages the malware and Tor sites, while recruited affiliates perform network breaches and encrypt devices.
In this arrangement, the core team gets 20-30% of a ransom payment, while the affiliates earn the rest.
A post on a popular Russian-speaking hacking forum was shared by a security researcher that was created by an angry Conti affiliate who publicly leaked information about the ransomware operation. This information includes the IP addresses for Cobalt Strike C2 servers and a 113 MB archive containing numerous tools and training material for conducting ransomware attacks.
The affiliate posted the material as he was only paid $1,500 as part of an attack, while the rest of the team are making millions and promising big payouts after a victim pays a ransom.
The images of Cobalt Strike beacon configurations that contain the IP addresses for command and control servers used by the ransomware gang were also attached along with the post.
The security researcher Pancak3 tweeted that everyone must block those IP addresses to prevent attacks from the group.
In a subsequent post, the affiliate shared an archive containing 111 MB of files, including hacking tools, manuals written in Russian, training material, and help documents that are allegedly provided to affiliates when performing Conti ransomware attacks.
Advanced Intel’s Vitali Kremez, who had already analyzed the archive stated that the training material matches active Conti cases.
According to sources, the Conti banned the pentester after learning he was poaching business away from their operation by promoting a different unidentified affiliate program. After being banned, the affiliate leaked Conti’s training material and tools as revenge.
Kremez stated that the leak illustrates the vulnerability of ransomware-as-a-service operations, as how an unhappy affiliate could lead to the exposure of carefully cultivated information and resources used in attacks.
Image Credits : Sensors Tech Forum