{"id":2192,"date":"2021-08-10T20:20:07","date_gmt":"2021-08-10T20:20:07","guid":{"rendered":"https:\/\/osintme.com\/?p=2192"},"modified":"2021-08-10T20:23:47","modified_gmt":"2021-08-10T20:23:47","slug":"analysis-of-the-leaked-conti-ransomware-manuals","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2021\/08\/10\/analysis-of-the-leaked-conti-ransomware-manuals\/","title":{"rendered":"Analysis of the leaked Conti ransomware manuals"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Several days ago, as a result of a disagreement about the fair distribution of ransomware proceeds of crime within the Conti cybercriminal fraternity, one of the group’s affiliates publicised close to 60 files containing manuals and resources for Conti ransomware operators.<\/p>

This information dump provides a unique insider glimpse into how ransomware groups function, how they go about picking their targets, what methods they use, what resources they share and what defenders can look out for when trying to stop an intrusion.<\/p>

There probably isn’t that much of new content here, as some of the techniques and software have been used by cybercriminals for a while. Yet it’s pretty rare to witness a complete information dump such as this, originating from within the actual ransomware operator community.<\/p>

NOTE:<\/strong> The original documents are all in Russian – any discrepancies or inaccuracies that might arise result from my own translatory shortcomings.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Preparation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
  • The attackers set up a virtual machine using a VeraCrypt encrypted volume for their own security.<\/li>
  • Disabling webrtc, Javascript and Flash is NOT recommended – as this could result in an operator attracting more attention when connecting to target systems.<\/li>
  • The manual advises against using Kali Linux in favour of Debian or another custom built system.<\/li>
  • Connections to target systems are established through proxy IP addresses owing to the usage of Proxifier, Tor and Whonix.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Reconnaissance<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t
    • Automated pings are sent out to target systems using a batch file and a list of machines.<\/li>
    • RouterScan is used to, nomen omen, identify routers on a specific IP address range. It will also attempt to connect to those using a list of known default credentials.<\/li>
    • A cracked version of Cobalt Strike (legitimate pentesting software) is being used to conduct system profiling and establish covert communication.<\/li>
    • Internal network scans are conducted using NetScan, which focuses on finding information such as host names, open ports, groups and domains, device and OS information, etc.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t
      • Access to victim machines takes place using the RDP port (Remote Desktop Protocol) by abusing Ngrok, a legitimate remote access software.<\/li>
      • Once connection is established, remote access to the target machine is maintained using AnyDesk.<\/li>
      • Metasploit is used to check for exploits and vulnerabilities.<\/li>
      • When exploiting Windows operating systems, the attackers set out to create a list of Active Directory users (ad_users) and save it as a text file. This file will later be used to run automated scripts aimed at injecting a malicious process and bypass an AV program.<\/li>
      • Mimikatz \/ LSASS are used to extract passwords and password hashes from memory.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t\t
        \n\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        Post-Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t\t
        \n\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t
        • Domain controller enumeration and data extraction is facilitated using PowerView.<\/li>
        • Windows Defender is turned off (manually, if necessary) and shadow volume copies are deleted from the system.<\/li>
        • Data exfiltration takes place using Rclone and MEGA.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t\t
          \n\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t

          Intelligence<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t\t
          \n\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          So much for the techniques used by Conti operators, in a snapshot.<\/p>

          Also interesting are parts of the manuals that include some pieces of digital intel, as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

          \n\t\t\t\t\t\t
          \n\t\t\t\t\t
          \n\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          Admin details:<\/strong><\/p>

          Nickname: Tokyo<\/p>

          Jabber: cicada3301@strong.pm\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

          \n\t\t\t\t\t\t
          \n\t\t\t\t\t
          \n\t\t\t
          \n\t\t\t\t\t\t
          \n\t\t\t\t
          \n\t\t\t\t\t\t\t\t\t

          IP addresses of command & control servers:<\/strong><\/p>

          • 162.244.80.235<\/li>
          • 85.93.88.165<\/li>
          • 185.141.63.120<\/li>
          • 82.118.21.1<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t\t
            \n\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            NOTE:<\/strong> It’s reasonable to expect that at this stage the above IP addresses have been changed – but this information can still be useful for analysing past events and connection attempts from these addresses.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

            \n\t\t\t\t\t\t
            \n\t\t\t\t\t
            \n\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            List of machine names used to connect to target systems:<\/strong><\/p>

            CLeichty
            sd-cernst-vista
            SDBUILD11
            sd-books-01
            sdt-xp-04
            DEV-SPARE
            MININT-N3JOUQL
            SDBUILD10
            sdmmarshall02
            gary-x60
            laptop07
            gary-x61
            cernstdesktop
            pkomosin01
            MININT-50C2BP7
            DESKTOP-PC
            SGRAY-PC
            MattHLaptop
            MattLauth-PC
            jimbendt
            laptop05
            sdbuild13
            nholli-laptop01
            rthomp01
            sdlaptop02
            SDT-Vista-01
            SDBuild19
            GHARPST-LAPTOP
            sdt-xp-01
            dedds01
            sdt-xp-02
            SDT-WIN7X64-01
            DKECK-OUTLOOK
            vern-laptop
            GHARPST01
            mheidepriem
            CWETHERILL2
            PKOMOSINSKI01
            GHARPST-X200
            six-d9db82df276
            jridge01
            banderson02
            SDT-Win8x64-01
            SDT-XP-03
            SD-EMailVerifier-01
            russ-PC
            bclark03
            SDD-Win8x64-01
            GMHII
            casey-PC
            GH-SURFACE
            mheidepriem01
            DKECK-WIN7
            SDT-Win81x64-01
            jbendt-01
            dkeck-VM
            sdt-vista-02
            sdt-xp-05
            VERN-THINK
            SDT-WIN7X86-02
            perload02
            MLAUTH01
            cernst-desktop
            XPS
            cernst01
            PHARTMAN01
            CASEY-D810
            SGRAY-PC1
            DellLatD830
            mheidepriemDesk
            DLOCKET01
            dlockert
            AutomatedTest
            COREYL-DESKTOP
            d410loaner
            DKECK-DESKTOP
            GH11
            WIN-DSICSJFMGTJ
            WIN-9CH5144SG63
            NStrong
            BLARK-E5530
            CASEY-ASUS
            Casey-Desktop
            SDT-Win10x64-01
            CWETHERILL
            DESKTOP-T6363GF
            GH-PC
            MHeidepriem03
            MHEIDEPRIEM02
            SDT-Win10x64-02
            SDBUILD-01
            SDT-Win8x86-01
            SDBUILD-02
            SS-SLATE
            Gary-Yoga
            SDT-WIN7X86-01
            BSI-PWD-01
            LOANER
            Wetherill
            SurfacePro3
            DESKTOP-K66L1AA
            SDS-NKOMOSINSKI
            blortied420
            casey-laptop
            Wetherill-Acer
            SDBUILD-LAP1
            davids-macbook
            SDBUILD14
            lenovocarbon
            VSTRONG-LENOVO
            SD-VERN-01
            CaseyAcer
            casey-dev
            DKECK-WORK
            dkeck-dev
            6D-JHARPST-02
            Cory-Asus
            SIXD-TMACKE-L1
            rmortensen1
            6d-jharpst-01
            CoreyL-Laptop
            rmortensen
            CoreyL-Dev<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

            \n\t\t\t\t\t\t
            \n\t\t\t\t\t
            \n\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            List of passwords commonly targeted for brute forcing by the operators using SMB Autobrut (yes, people still use such weak passwords…):<\/b><\/p>

            Password1
            Hello123
            password
            Welcome1
            banco@1
            training
            Password123
            job12345
            spring
            food1234<\/p>

            June2020
            July2020
            August20
            August2020
            Summer20
            Summer2020
            June2020!
            July2020!
            August20!
            August2020!
            Summer20!
            Summer2020!<\/p>

            NOTE:<\/strong> The point of listing these is to highlight how pathetically weak such passwords are. Also, attackers actively scan for domain controller information and no lockout threshold set on the account – which means that the account does not lock after a specified number of failed authentication attempts, therefore it can be brute forced without any constraints.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

            \n\t\t\t\t\t\t
            \n\t\t\t\t\t
            \n\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            Site used for creating and editing commands:<\/strong><\/p>

            http:\/\/tobbot.com\/data\/<\/p>

            (flagged as malicious by some scanners)<\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

            \n\t\t\t\t\t\t
            \n\t\t\t\t\t
            \n\t\t\t
            \n\t\t\t\t\t\t
            \n\t\t\t\t
            \n\t\t\t\t\t\t\t\t\t

            List of recommended Telegram forums:<\/strong><\/p>

            • https:\/\/t.me\/peass<\/li>
            • https:\/\/t.me\/antichat<\/li>
            • https:\/\/t.me\/thebugbountyhunter<\/li>
            • https:\/\/t.me\/club1337<\/li>
            • https:\/\/t.me\/infosec1<\/li>
            • https:\/\/t.me\/RalfHackerChannel<\/li>
            • https:\/\/t.me\/in51d3<\/li>
            • https:\/\/t.me\/exploithacker<\/li>
            • https:\/\/t.me\/Premium_Hacking<\/li>
            • https:\/\/t.me\/DownloadCourse14<\/li>
            • https:\/\/t.me\/ViperZCrew<\/li>
            • https:\/\/t.me\/techpwnews<\/li>
            • https:\/\/t.me\/cyb3rhunt3r<\/li>
            • https:\/\/t.me\/cveNotify<\/li>
            • https:\/\/t.me\/MalwareResearch<\/li>
            • https:\/\/t.me\/BugCrowd<\/li>
            • https:\/\/t.me\/itsecalert<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

              An angry Conti ransomware affiliate dumped a bunch of manuals – here is a synopsis of what can be found within.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[18],"tags":[76,84,132,83,134,71],"class_list":["post-2192","post","type-post","status-publish","format-standard","hentry","category-digital-privacy-security","tag-cybercrime","tag-documents","tag-leak","tag-manuals","tag-ransomware","tag-russia"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=2192"}],"version-history":[{"count":28,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2192\/revisions"}],"predecessor-version":[{"id":2241,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/2192\/revisions\/2241"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=2192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=2192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=2192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}