A leak of a purported tutorial from the Conti ransomware gang for turning compromised machines into ransomware beachheads provides a rare look inside the operations of a popular cybercriminal syndicate and highlights the tenuous relationships between groups in the cybercriminal ecosystem.
Threat experts at Cisco Talos this week provided a full English translation of the playbook, which came to light last month, allegedly after a disgruntled "affiliate" leaked the location of the server controlling compromised machines and more than 100MB of tools and documents. The playbook focuses on a number of popular tools — such as Cobalt Strike, Mimikatz, and PowerShell — and tells affiliates, low-level cybercriminals who infect systems for a cut of the profits, how to find exploits for common vulnerabilities.
Overall, the playbook gives an insight into the operations of a well-organized ransomware group, from searching for company revenue to methods of exfiltrating data, says Nick Biasini, global lead for outreach at Cisco Talos.
"It shows a level of organization and understanding that in order to be effective you have to be operating on a standard set of procedures or playbooks," he says. And it shows that ransomware attackers have solid documentation and knowledge of how to wage widespread ransomware campaigns, he says.
The Conti ransomware group is responsible for millions of dollars in damages suffered by companies and organizations. In May, the FBI issues an alert about Conti group after attributing at least 16 attacks against healthcare and first responder networks to the group. A year ago, for example, the Conti group attacked the federal court in Louisiana, knocking the court's website offline. In November 2019, several other Louisiana government organizations suffered from a massive ransomware attack attributed to another gang, Ryuk.
The playbook, which Cisco Talos translated from Russian, underscores that the groups are trying to create a knowledge base for their low-level affiliates who are used as the first line of attack. Such instruction manuals highlight that that ransomware groups are targeting relatively unskilled individuals as affiliates, says Azim Khodjibaev, a threat intelligence researcher with Cisco Talos. "The focus on the creators of this document to make things as easy as possible shows that their model, whether greedy or not, relies on quantity of participants," he says.
A Terse How-to on Hacking
The playbook reads like a terse hacking guide, taking would-be attackers from initial reconnaissance, exploitation, information collection, data exfiltration, and then placing the ransomware payload. The attacker tactics include copying data shares with important data, such as financial documents, IT configuration files, and client information.
Some specific techniques include using the Kerberoast tool to collect the administrator hash, which can sometimes be used in a replay attack, and using Mimikatz to collect passwords that may be reused. The Conti playbook also includes ways of compromising systems using the Remote Desktop Protocol (RDP), an approach popular with the group.
"This documentation allows both seasoned criminals and those newer to the scene the ability to conduct large-scale, damaging campaigns," Cisco Talos stated in its blog post. "This shows that although some of the techniques used by these groups are sophisticated, the adversaries carrying out the actual attacks may not necessarily be advanced."
Companies can use the translated documents to conduct threat modeling and red-team exercises to ensure they are protected against the now-public strategies used by the Conti group and its affiliates.
Security teams should verify that they can detect and block attackers' activities and use the same open source tools described in the documents in penetration tests, says Cisco Talos' Biasini.
"It gives companies some definite insight into the tools and techniques these adversaries are using," he says. "Organizations have the ability to download and use the same tools, which is a huge advantage from a defensive perspective and can help defenders understand the behaviors they are likely to encounter."
On the positive side of the ledger, the leak shows that loose-knit affiliate business models for cybercrime come with risks for the ransomware groups. The affiliate leaked the document after being paid just $1,500 for taking part in an attack, a relative pittance compared with the millions of dollars that groups such as Conti are claiming to receive from ransomware victims.
The Cisco Talos researchers stressed that the gulf between what the revenue of ransomware groups and the fees paid to affiliates may result in more leaks in the future.
"What happened here is that someone who is active with this group on a low level was unhappy enough to share their playbook," Khodjibaev says. "Ransomware is just another cybercrime, [and with] crime in general ... you see these types of leaks or rogue activities in other criminal enterprises where participants are not happy."