Skip to content

Analysis of the leaked Conti ransomware manuals

Several days ago, as a result of a disagreement about the fair distribution of ransomware proceeds of crime within the Conti cybercriminal fraternity, one of the group’s affiliates publicised close to 60 files containing manuals and resources for Conti ransomware operators.

This information dump provides a unique insider glimpse into how ransomware groups function, how they go about picking their targets, what methods they use, what resources they share and what defenders can look out for when trying to stop an intrusion.

There probably isn’t that much of new content here, as some of the techniques and software have been used by cybercriminals for a while. Yet it’s pretty rare to witness a complete information dump such as this, originating from within the actual ransomware operator community.

NOTE: The original documents are all in Russian – any discrepancies or inaccuracies that might arise result from my own translatory shortcomings.

Preparation

  • The attackers set up a virtual machine using a VeraCrypt encrypted volume for their own security.
  • Disabling webrtc, Javascript and Flash is NOT recommended – as this could result in an operator attracting more attention when connecting to target systems.
  • The manual advises against using Kali Linux in favour of Debian or another custom built system.
  • Connections to target systems are established through proxy IP addresses owing to the usage of Proxifier, Tor and Whonix.

Reconnaissance

  • Automated pings are sent out to target systems using a batch file and a list of machines.
  • RouterScan is used to, nomen omen, identify routers on a specific IP address range. It will also attempt to connect to those using a list of known default credentials.
  • A cracked version of Cobalt Strike (legitimate pentesting software) is being used to conduct system profiling and establish covert communication.
  • Internal network scans are conducted using NetScan, which focuses on finding information such as host names, open ports, groups and domains, device and OS information, etc.

Exploitation

  • Access to victim machines takes place using the RDP port (Remote Desktop Protocol) by abusing Ngrok, a legitimate remote access software.
  • Once connection is established, remote access to the target machine is maintained using AnyDesk.
  • Metasploit is used to check for exploits and vulnerabilities.
  • When exploiting Windows operating systems, the attackers set out to create a list of Active Directory users (ad_users) and save it as a text file. This file will later be used to run automated scripts aimed at injecting a malicious process and bypass an AV program.
  • Mimikatz / LSASS are used to extract passwords and password hashes from memory.

Post-Exploitation

  • Domain controller enumeration and data extraction is facilitated using PowerView.
  • Windows Defender is turned off (manually, if necessary) and shadow volume copies are deleted from the system.
  • Data exfiltration takes place using Rclone and MEGA.

Intelligence

So much for the techniques used by Conti operators, in a snapshot.

Also interesting are parts of the manuals that include some pieces of digital intel, as follows:

Admin details:

Nickname: Tokyo

Jabber: cicada3301@strong.pmĀ 

IP addresses of command & control servers:

  • 162.244.80.235
  • 85.93.88.165
  • 185.141.63.120
  • 82.118.21.1

NOTE: It’s reasonable to expect that at this stage the above IP addresses have been changed – but this information can still be useful for analysing past events and connection attempts from these addresses.

List of machine names used to connect to target systems:

CLeichty
sd-cernst-vista
SDBUILD11
sd-books-01
sdt-xp-04
DEV-SPARE
MININT-N3JOUQL
SDBUILD10
sdmmarshall02
gary-x60
laptop07
gary-x61
cernstdesktop
pkomosin01
MININT-50C2BP7
DESKTOP-PC
SGRAY-PC
MattHLaptop
MattLauth-PC
jimbendt
laptop05
sdbuild13
nholli-laptop01
rthomp01
sdlaptop02
SDT-Vista-01
SDBuild19
GHARPST-LAPTOP
sdt-xp-01
dedds01
sdt-xp-02
SDT-WIN7X64-01
DKECK-OUTLOOK
vern-laptop
GHARPST01
mheidepriem
CWETHERILL2
PKOMOSINSKI01
GHARPST-X200
six-d9db82df276
jridge01
banderson02
SDT-Win8x64-01
SDT-XP-03
SD-EMailVerifier-01
russ-PC
bclark03
SDD-Win8x64-01
GMHII
casey-PC
GH-SURFACE
mheidepriem01
DKECK-WIN7
SDT-Win81x64-01
jbendt-01
dkeck-VM
sdt-vista-02
sdt-xp-05
VERN-THINK
SDT-WIN7X86-02
perload02
MLAUTH01
cernst-desktop
XPS
cernst01
PHARTMAN01
CASEY-D810
SGRAY-PC1
DellLatD830
mheidepriemDesk
DLOCKET01
dlockert
AutomatedTest
COREYL-DESKTOP
d410loaner
DKECK-DESKTOP
GH11
WIN-DSICSJFMGTJ
WIN-9CH5144SG63
NStrong
BLARK-E5530
CASEY-ASUS
Casey-Desktop
SDT-Win10x64-01
CWETHERILL
DESKTOP-T6363GF
GH-PC
MHeidepriem03
MHEIDEPRIEM02
SDT-Win10x64-02
SDBUILD-01
SDT-Win8x86-01
SDBUILD-02
SS-SLATE
Gary-Yoga
SDT-WIN7X86-01
BSI-PWD-01
LOANER
Wetherill
SurfacePro3
DESKTOP-K66L1AA
SDS-NKOMOSINSKI
blortied420
casey-laptop
Wetherill-Acer
SDBUILD-LAP1
davids-macbook
SDBUILD14
lenovocarbon
VSTRONG-LENOVO
SD-VERN-01
CaseyAcer
casey-dev
DKECK-WORK
dkeck-dev
6D-JHARPST-02
Cory-Asus
SIXD-TMACKE-L1
rmortensen1
6d-jharpst-01
CoreyL-Laptop
rmortensen
CoreyL-Dev

List of passwords commonly targeted for brute forcing by the operators using SMB Autobrut (yes, people still use such weak passwords…):

Password1
Hello123
password
Welcome1
banco@1
training
Password123
job12345
spring
food1234

June2020
July2020
August20
August2020
Summer20
Summer2020
June2020!
July2020!
August20!
August2020!
Summer20!
Summer2020!

NOTE: The point of listing these is to highlight how pathetically weak such passwords are. Also, attackers actively scan for domain controller information and no lockout threshold set on the account – which means that the account does not lock after a specified number of failed authentication attempts, therefore it can be brute forced without any constraints.

Site used for creating and editing commands:

http://tobbot.com/data/

(flagged as malicious by some scanners)

List of recommended Telegram forums:

  • https://t.me/peass
  • https://t.me/antichat
  • https://t.me/thebugbountyhunter
  • https://t.me/club1337
  • https://t.me/infosec1
  • https://t.me/RalfHackerChannel
  • https://t.me/in51d3
  • https://t.me/exploithacker
  • https://t.me/Premium_Hacking
  • https://t.me/DownloadCourse14
  • https://t.me/ViperZCrew
  • https://t.me/techpwnews
  • https://t.me/cyb3rhunt3r
  • https://t.me/cveNotify
  • https://t.me/MalwareResearch
  • https://t.me/BugCrowd
  • https://t.me/itsecalert

4 thoughts on “Analysis of the leaked Conti ransomware manuals”

  1. Does it make sense to tou, their rationalw for advising against “Disabling webrtc, Javascript and Flash” and “using Kali Linux”?

Leave a Reply

Your email address will not be published. Required fields are marked *