Ransomware turncoat leaks Conti data, lifts the lid on the ransomware business
Last week, The Record broke the news that a self-described “pen tester” for the infamous Conti ransomware gang, who goes by the handle m1Geelka, had leaked manuals, technical guides, and software on the underground forum XSS. According to the screenshot of m1Geelka’s original forum post—and screenshots of later ones from several security researchers being passed around on Twitter—their problem seems to be (surprise, surprise) money: Conti isn’t paying “hard workers” enough of what it extorts.
If you’ve heard of Conti, it’s likely in connection with a devastating attack on Ireland’s Health Service Executive in May. The attack affected the provision of healthcare across the entire country, causing hundreds of thousands of appointments to be scrapped.
m1Geelka’s rant starts:
Dumb divorce, not work. They recruit penetration testers, of course … They recruit guys to test Active Directory networks, they use the Locker – Conti. I merge you their 10-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.
The reference to “their 10-address cobalt servers and type of training materials” refers to the materials m1Geelka leaked on the forum, which included the IP addresses of the Conti gang’s Cobalt Strike command and control servers.
Aside from the tactics, techniques and procedures (TTPs), the leak comes with a few interesting lessons:
Ransomware is an industry
The leak further reinforces something we already knew: That ransomware is a mature criminal business that includes cooperation between groups, the division of labor, the division of work, extensive outsourcing and competition for skilled workers.
According to one observer, Conti’s recruitment on the XSS forum tries to induce potential “pen testers” like m1Geelka with familiar-sounding work conditions, such as fully remote working, a salary of $1,500 plus a percentage of the spoils from attacks, and a five-day work week (yup, you get weekends off).
Others reported that m1Geelka later suffered a case of buyer’s remorse and walked back some of their claims, saying they were never an affiliate of Conti and that they had only leaked data that was already public. Perhaps somebody reminded them that some things are done differently in the underground economy.
Everyone is vulnerable to insider threats
Although some see this leak as an example of there being “no honor among thieves”, it isn’t. Disgruntled employees or contractors exist in all walks of life, and occasionally take out their frustration on employers’ computers, networks, and data. The leak is simply another example of how unexceptional the ransomware economy is.
These kind of incidents happens everywhere—they even happen at the FBI—and, according to the UK’s National Crime Agency, they happened more in 2020 than in 2019 because of the disruption caused by the pandemic.
Which means it can happen to you, and your approach to security should account for it.
Conti cares about your revenue
Modern ransomware attacks are often described as “targeted”, but there is some misunderstanding about what that means. Most of the time it means that attackers focus on one target at a time, rather than attacking as many targets as possible.
A small detail of the Conti leak reported by NBC shows that Conti documentation encourages attackers to investigate potential targets in Google—searching for “WEBSITE + revenue”—and reminds them to check multiple sources, so they get an accurate number.
The advice appears in “MANALS_V2 Active Directory”, listed in a section called “Increasing privileges and collecting information”, and appears to be one of the steps attackers are told to take after breaking into a target’s network. If attackers are discovering this kind of information after they’ve broken in rather than before, it shows they aren’t going after specific targets, merely vulnerable ones.