Several days ago, as a result of a disagreement about the fair distribution of ransomware proceeds of crime within the Conti cybercriminal fraternity, one of the group’s affiliates publicised close to 60 files containing manuals and resources for Conti ransomware operators.
This information dump provides a unique insider glimpse into how ransomware groups function, how they go about picking their targets, what methods they use, what resources they share and what defenders can look out for when trying to stop an intrusion.
There probably isn’t that much of new content here, as some of the techniques and software have been used by cybercriminals for a while. Yet it’s pretty rare to witness a complete information dump such as this, originating from within the actual ransomware operator community.
NOTE: The original documents are all in Russian – any discrepancies or inaccuracies that might arise result from my own translatory shortcomings.
- The attackers set up a virtual machine using a VeraCrypt encrypted volume for their own security.
- The manual advises against using Kali Linux in favour of Debian or another custom built system.
- Connections to target systems are established through proxy IP addresses owing to the usage of Proxifier, Tor and Whonix.
- Automated pings are sent out to target systems using a batch file and a list of machines.
- RouterScan is used to, nomen omen, identify routers on a specific IP address range. It will also attempt to connect to those using a list of known default credentials.
- A cracked version of Cobalt Strike (legitimate pentesting software) is being used to conduct system profiling and establish covert communication.
- Internal network scans are conducted using NetScan, which focuses on finding information such as host names, open ports, groups and domains, device and OS information, etc.
- Access to victim machines takes place using the RDP port (Remote Desktop Protocol) by abusing Ngrok, a legitimate remote access software.
- Once connection is established, remote access to the target machine is maintained using AnyDesk.
- Metasploit is used to check for exploits and vulnerabilities.
- When exploiting Windows operating systems, the attackers set out to create a list of Active Directory users (ad_users) and save it as a text file. This file will later be used to run automated scripts aimed at injecting a malicious process and bypass an AV program.
- Mimikatz / LSASS are used to extract passwords and password hashes from memory.
- Domain controller enumeration and data extraction is facilitated using PowerView.
- Windows Defender is turned off (manually, if necessary) and shadow volume copies are deleted from the system.
- Data exfiltration takes place using Rclone and MEGA.
So much for the techniques used by Conti operators, in a snapshot.
Also interesting are parts of the manuals that include some pieces of digital intel, as follows:
IP addresses of command & control servers:
NOTE: It’s reasonable to expect that at this stage the above IP addresses have been changed – but this information can still be useful for analysing past events and connection attempts from these addresses.
List of machine names used to connect to target systems:
List of passwords commonly targeted for brute forcing by the operators using SMB Autobrut (yes, people still use such weak passwords…):
NOTE: The point of listing these is to highlight how pathetically weak such passwords are. Also, attackers actively scan for domain controller information and no lockout threshold set on the account – which means that the account does not lock after a specified number of failed authentication attempts, therefore it can be brute forced without any constraints.
Site used for creating and editing commands:
(flagged as malicious by some scanners)
List of recommended Telegram forums: