A seemingly dissatisfied freelance writer posted internal documents from the gang behind the ransomware known as Conti. Security researchers had already found the files last Thursday on the Russian-language “XSS” forum, widely used by cybercriminals. A user called m1Geelka wrote there that he was not happy with the gang’s actions and therefore posted some of the documents of the criminals. Among other things, the files contained the IP addresses of some control servers with which the Conti gang apparently used software called Cobalt Strike in their attacks, which is actually intended to detect security flaws in testing.
The Conti-Gang was most recently responsible for blackmailing the Irish public health service HSE in May. The group is also on the FBI’s radar after attacking at least 16 healthcare providers in May.
It is not known who the speaker is, nor can his statements be independently verified. However, experts like Mark Arena from cybersecurity firm Intel 471 consider the posts and documents to be genuine. The techniques that have now been disclosed correspond to what IT scientists already know about the operators of the Conti ransomware. According to Arena, it is rare for such internal extortion gang documents to become public. The leak therefore provides a rare glimpse into how one of the top ransomware gangs worked in recent months.
Internal ransomware extortion guide
Apparently the leaker was recruited as a so-called “pentester” in order to get to know how blackmailers work. Usually, pentesters (short for penetration testers) are IT security professionals who attempt to hack into networks in order to identify and correct possible weak points. The same employees, ironically named by the ransomware gangs, do the same job and use the same tools. It’s just that they’re not interested in filling in the gaps, but in exploiting them to install encryption software. The last person responsible for the leak apparently didn’t want to work at all, but only wanted access to information while working for another gang. This caught the attention of Conti employees, who then kicked him out. The leak was to be understood as an act of revenge on the eviction, he wrote in the forum.
The documents show how systematic attackers are now proceeding. It starts with the first step, where a company’s annual revenue is searched on Google. Then there are tips and tools to propagate in the target system and to spy on and crack additional passwords. Finally, there are possibilities of how hackers can stay in the system, if they are discovered and removed. Well-known remote maintenance systems such as AnyDesk or Atera are used for this purpose.
The leak is interesting, but not a game-changer for IT advocates, says Tilman Frosch of IT security firm G Data. After all, Conti is just one band among many. The disclosed information could still help in individual cases, for example to “detect an existing compromise before the deployment of ransomware”. To do this, however, the customer must already perform sensitive security monitoring. “This is usually not the case,” says Frosch.
No honor among thieves – but rules
The cybercriminals’ little argument shows it: there is no honor in thieves. A circumstance that criminal prosecutors could increasingly exploit. The US government wants to pay anonymous informants up to ten million dollars in the future if they have information on cyber attacks against US infrastructure, conveniently payable in cryptocurrency. If the program were to be expanded to include criminal ransomware, this could be a good incentive for small freelancers in large gangs. According to the leaker, Conti operators often only pay their pentesters $ 1,500 in extortion, while bosses demand millions of dollars from blackmailed companies. Irish health service HSE was about to pay $ 20 million.
The leaker was eventually banned from the Russian hacker forum. Not because he was a member of a criminal organization, nor because he had published the tools of a competitor. But because he had not discussed the post with the administrators of the forum. This is absolutely necessary, because “otherwise there is a risk of chaos, confusion and terror”. So there must be so much honor among thieves.