Insider Leaks Data From Conti Ransomware Group

Matthew Broersma,

Disgruntled affiliate from Conti gang’s ransomware service leaks valuable technical details and instruction manuals, amidst battle against malware groups

A hacker apparently affiliated with the Conti ransomware group has posted inside information on the gang that researchers said could help defend against attacks.

The hacker apparently posted the information in revenge after being denied their expected share of ransomware revenues.

The Conti group offers ransomware-as-a-service, providing back-end infrastructure such as malware and command servers, which are then used by affiliates to carry out the actual attacks.

The group is notorious for having targeted healthcare organisations in various countries, including Ireland’s Health Service Executive.

ransomware, security and privacy dataRevenge

The inside information on Conti was posted by a hacker claiming to be one of the group’s affiliates, who said they had been denied their expected share of a ransom payment.

Affiliates usually keep 70 to 80 percent of a ransom payment, with Conti keeping the remainder.

Security researcher Pancak3 posted a link on social media to a post on a Russian-language hacker forum where the affiliate had leaked information on Conti, including IP addresses used for command servers and a 113 MB archive containing tools and training materials provided by Conti to affiliates.

The post also included beacon configurations Conti uses for Cobalt Strike, a legitimate penetration-testing tool used by Conti and other gangs to deploy ransomware.

The affiliate said they had been underpaid for their role in carrying out attacks. A report by Bleeping Computer, citing an unnamed source, suggested the affiliate had been shut out of revenues for promoting a rival malware programme.

Inside information

“They recruit suckers and divide the money among themselves,” the affiliate said in the Russian-language post.

Pancak3, posting on Twitter, urged system administrators to block the IP addresses provided by the affiliate to help guard against Conti attacks.

Security researchers said the other details provided, such as the specific methods Conti advises affiliates to use once they have penetrated a system, could help organisations detect attacks.

The detailed Russian-language training material and help documents indicate the high degree of organisation attained by groups such as Conti and others.

But the incident also indicates that hacking gangs are vulnerable to sabotage from the inside.

The US government is seeking to encourage insiders to turn against malware groups with the recently announced Rewards for Justice programme, which offers a potential $10 million (£7m) reward for tips.

Kaseya hack

In July Russia-based hacking group REvil breached software firm Kaseya, using it as a stepping stone to encrypt the systems of hundreds of Kaseya customers. Kaseya later said it had received a decryption tool, but only after the damage was done.

In May the DarkSide ransomware group shut down the Colonial Pipeline in the eastern US, causing widespread fuel shortages.

Colonial paid a ransom of $4.4m in Bitcoin, most of which was later recovered after the US Department of Justice seized the funds.