Someone claiming to work with one of the more notorious ransomware gangs says he is fed up with the way the extortion money is divided and has leaked a slew of gang files on a pirate forum.
The files, posted on a forum frequented by Russian-speaking cybercriminals and reviewed by NBC News, include numerous instruction manuals allegedly belonging to Conti, a group of Russian-speaking hackers who attacked several hospitals, including healthcare chains in the United States. United States and Ireland. national system, the Health Service Executive.
In a step-by-step guide, written in Russian, members learn how to identify and hack victims using Cobalt Strike, software that includes a number of known hacking programs. Although designed for defenders to test their own systems, Cobalt Strike has become a popular tool for hackers.
The guide tells members that the first step is to use Google to research the revenue of a potential target business. Hackers are then tasked with finding the accounts of employees who have corporate administrative privileges and figuring out how to use that information to deploy ransomware that would encrypt their entire network to hold it hostage for ransom.
The leak appears genuine, said Allan Liska, ransomware analyst at cybersecurity firm Recorded Future, as she describes the attacks as coming from the same servers his company already tracked as Conti. Some of the files show the IP addresses used by Conti for the Cobalt Strike attacks, which Recorded Future had previously seen.
Ransomware hackers have attacked U.S. schools, hospitals and businesses with impunity, sparking international action. But ransomware gangs are often informal businesses that can turn on each other. The leak shows how Conti’s operations are seemingly outsourced from core gang members to affiliated hackers, a relationship that can deteriorate.
“What interests me about this is how scripted it is,” Liska said.
The hacker who leaked the information has been an active Conti ransomware affiliate for months, Liska said.
In his article on the leaked files, the user, whose role in Conti’s operation was to find vulnerabilities in the networks of potential victims, complained that those at the top of the gang had taken a too large a percentage of the extortion money.
“They recruit suckers and share the money,” the user wrote in Russian.