At the end of July there was another leak. But this time no user data, passwords or internal company documents were published. At least not if you don’t already see a cybercrime gang as a company. It looks like a dissatisfied customer of the Conti ransomware has published its operating instructions including some useful scripts in protest.
The Conti ransomware is one of the most active blackmail Trojans and extorted over 12 million US dollars in 2021 alone; to do this, it paralyzed the Irish health system and the TU Berlin. The malicious program was developed by the Trickbot gang as the successor to Ryuk, whom many Emotet victims know from painful experience. Conti forms the basis for the gang’s ransomware-as-a-service business. It provides ambitious young criminals with infrastructure, tools and instructions with which they can organize their own ransomware raids. In return, the RaaS provider withholds a large part of the ransom money collected through their money laundering system.
The Ransomwhere web site tracks ransom payments; According to their data, extortion with Conti has already brought in over 12 million US dollars and is even ahead of the infamous REvil gang.
(Picture: Ransomwhere)
And that’s what reportedly led to an argument. One affiliate complained in an underground forum that his share was far too low considering that he was doing all the work. In order to wipe out “those above” who only cash in, he published the learning material provided by the gang without further ado.
(Image: Bad blood among the criminals – “m1Geelka” does not want to be fobbed off with 1500 US dollars.)
Whether this is actually the truth cannot be said with absolute certainty. However, an initial analysis by heise Security makes the authenticity of the material appear at least plausible. The processes described represent very real what is known about such incidents. Incident response specialists have already confirmed on the Internet that the instructions contain details that they have observed in specific cases of Conti extortion.
A journey underground
The material leaked in this way is of course an interesting starting point for a journey of discovery into the world of the Conti blackmailers. The first thing that strikes you is that the majority of the documents are written in Russian. But even an automated translation with Deepl, for example, bumps in some places, but in each context it is easy to see what it is about. It forms the basis of the following description.
The documents are also aimed at absolute laypeople, to whom you still have to explain the basics yourself. First of all, of course, there is the most important thing: the money. First and foremost, the would-be blackmailers should collect information about the future victim’s turnover. So specifically:
Google: "mycorporation.com" "revenue"
This information can be used to prioritize the action and – more importantly – determine the amount of a realistic ransom demand.
Central Cobalt Strike
The central document is a detailed manual on Cobalt Strike.
The central documents revolve around the use of Cobalt Strike (CS).
This is a commercial toolkit that is actually intended for professional attack simulations – in Security Speak this is called Red Teaming. However, it is also very popular with government attackers (APT) and cybercrime gangs. The developers Cobalt Strike are therefore often accused of doing too little against the criminal use of their framework and thus indirectly supporting cybercrime.
Cobal Strike is a complete platform for attacks on IT networks. It is also very popular with criminals like the Conti gang.
(Image: screenshot)
The attackers place so-called cobalt strike beacons on compromised systems. They radio home to their Command & Control server in a variety of ways. In this way, the attacker can contact his bridgeheads at any time. The beacons then offer him convenient functions for controlling the system, collecting further information and spreading it in the network.
It is therefore hardly surprising that the first chapter is devoted to gathering information. It starts with a long list of command line commands like
shell net localgroup administrators
and explanations of the respective edition. An interesting detail on the side: In a comment the author explicitly mentions that you have to search for “domain admins” instead of “domain admins” on a German-speaking system. So Germany is definitely in the sights of the Conti gang.
Then, among other things, it is about privilege escalation, i.e. the acquisition of extended rights. Among other things, there is a separate chapter dedicated to PrintNightmare:
Vulnerability is fresh, but it’s already notorious. We use it before it’s shut down. CVE-2021-34527 allows it to create local administrator, it’s useful if there is an agent which comes with simple user rights.
A detailed chapter is devoted to persistence – how best to get stuck in the system. They discuss the advantages and disadvantages of different concepts. For example, pure in-memory backdoors leave the fewest traces and have the lowest risk of being noticed, but are lost after a system restart. As a possible compromise, they suggest engaging in the startup procedure of frequently used programs such as MS Office.
Other chapters deal with “Lateral Movement”, “Hunting Admins” and SMB cracking. The focus on the Active Directory is striking. The manual also mentions a number of additional tools such as ADFind and SharpView with which the attackers can investigate the network and the Active Directory and then attack them. The central goal is domain admin credentials, which you can extract using tools such as Mimikatz or Kerberoast. If they have compromised the Active Directory, they like to create new admin accounts with innocuous names like “oldadministrator”.
The finale finally explains how to roll out and start the actual encryption program. This is then done using regular admin tools such as psexec or wmic with a previously created domain admin account on all systems in the network.
Other documents describe more specific techniques or tools. For example, the criminals recommend the Internet service ngrok to ensure that systems behind a NAT are still easily accessible. They couple it with a local RDP, which is switched to port 1350 for this purpose. Alternatively, the maintenance tool Anydesk is recommended as a backdoor.
The MANUAL directory of the leak contains a number of tools and individual documents. The names in this screenshot are already translated.
It is also interesting to see how precisely the criminals describe the exfiltration of files. To do this, you create an account (paid for with crypto money) with the file host Mega – one new per attacked network, the authors warn. Interestingly enough, the access data for one of these accounts is even included in the leak.
The data to be stolen is then uploaded with the tool rclone, which offers a special mega mode. Other interesting documents contain links to various public cheat sheets for SQL injections or scripts that can disable various antivirus solutions such as Bitdefender, TrendMicro or Windows Defender.
Lessons Learned
Ultimately, the manuals do not reveal anything fundamentally new about the criminals’ approach. Particularly exciting are the small details such as references to German peculiarities and of course details such as special user names or ports with which the defenders can now improve the rules for their internal alarm systems.
Personally, I find it particularly exciting that the criminals seem to be dissatisfied with the distribution of the booty. In the future, this could open up opportunities to break up the structures and thus also get to the people behind.
In the expert forum of heise Security Pro Security professionals get access to the documents we have translated and discuss their findings:
(ju)
