Conti ransomware group technical manuals leaked on the internet


Several technical manuals from the Conti ransomware group have appeared on the internet, containing IP addresses of used command & control servers and explaining attacking networks and stealing data, various security researchers report via Twitter.


According to the researchers, the documents were leaked through a partner of the group that carries out attacks on networks. The leaked manuals would be distributed to partners. One of these partners published the files and manuals on a cybercriminal forum, where it was then downloaded by researchers. Security researcher Vitali Kremez tells Bleeping Computer that the manuals correspond to active cases of the Conti ransomware.


The documents include screenshots of IP addresses that the Conti group would use for Cobalt Strike servers. Cobalt Strike is a tool for performing penetration tests on systems and networks. However, it is also used by attackers to further compromise attacked organizations. The attackers can communicate with infected systems within organizations via the servers.


The manuals explain, among other things, how to use the Rclone software in combination with the MEGA cloud storage service for data stealing. Also, using Netscan to scan internal networks, using AnyDesk to access remote systems, dumping Active Directories passwords (NTDS dumping), using the Zerologon vulnerability, using Ngrok for RDP tunneling, using SMB brute force attacks to become a domain administrator, and performing a Kerberoasting attack are discussed, according to an analysis by The DFIR Report.


The Belgian managed service provider (MSP) ITxx decided last month to pay the criminals behind the Conti ransomware, which had encrypted customer files, a ransom of $300,000 . The group was also behind the attack on Ireland 's health care system and a major American school district . According to the FBI, the Conti group attacked more than 400 organizations worldwide .

Previous Post Next Post