Categories: CyberCrimeSecurity

Insider Leaks Data From Conti Ransomware Group

A hacker apparently affiliated with the Conti ransomware group has posted inside information on the gang that researchers said could help defend against attacks.

The hacker apparently posted the information in revenge after being denied their expected share of ransomware revenues.

The Conti group offers ransomware-as-a-service, providing back-end infrastructure such as malware and command servers, which are then used by affiliates to carry out the actual attacks.

The group is notorious for having targeted healthcare organisations in various countries, including Ireland’s Health Service Executive.

Revenge

The inside information on Conti was posted by a hacker claiming to be one of the group’s affiliates, who said they had been denied their expected share of a ransom payment.

Affiliates usually keep 70 to 80 percent of a ransom payment, with Conti keeping the remainder.

Security researcher Pancak3 posted a link on social media to a post on a Russian-language hacker forum where the affiliate had leaked information on Conti, including IP addresses used for command servers and a 113 MB archive containing tools and training materials provided by Conti to affiliates.

The post also included beacon configurations Conti uses for Cobalt Strike, a legitimate penetration-testing tool used by Conti and other gangs to deploy ransomware.

The affiliate said they had been underpaid for their role in carrying out attacks. A report by Bleeping Computer, citing an unnamed source, suggested the affiliate had been shut out of revenues for promoting a rival malware programme.

Inside information

“They recruit suckers and divide the money among themselves,” the affiliate said in the Russian-language post.

Pancak3, posting on Twitter, urged system administrators to block the IP addresses provided by the affiliate to help guard against Conti attacks.

Security researchers said the other details provided, such as the specific methods Conti advises affiliates to use once they have penetrated a system, could help organisations detect attacks.

The detailed Russian-language training material and help documents indicate the high degree of organisation attained by groups such as Conti and others.

But the incident also indicates that hacking gangs are vulnerable to sabotage from the inside.

The US government is seeking to encourage insiders to turn against malware groups with the recently announced Rewards for Justice programme, which offers a potential $10 million (£7m) reward for tips.

Kaseya hack

In July Russia-based hacking group REvil breached software firm Kaseya, using it as a stepping stone to encrypt the systems of hundreds of Kaseya customers. Kaseya later said it had received a decryption tool, but only after the damage was done.

In May the DarkSide ransomware group shut down the Colonial Pipeline in the eastern US, causing widespread fuel shortages.

Colonial paid a ransom of $4.4m in Bitcoin, most of which was later recovered after the US Department of Justice seized the funds.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago