After her chat history was leaked, several tools, techniques, and training materials from the Conti ransomware gang have now also been leaked. Among the leaked tools is a decryption tool and the source code of the ransomware itself. Unfortunately, the decryptor doesn’t work for the most recent Conti victims, but it does provide security researchers and authorities with a treasure trove of insight into the gang’s workings.
The leaked information comes from VX-underground and is very recent. Often old information about a gang is leaked, but in this case, the data is only a day or two old at the time of the leak. In the dump, we see the full contents of the leak, but we’re going to focus on the most important things here.
A treasure trove of insight
Normally, researchers have to figure out ( reverse engineering) how the malicious software works and which monkeys the malware gangs have hidden up their sleeves. A leak of up-to-date information like this is going to bring big smiles to security teams around the world.
Chat logs and internal forums
First of all, they have insight into how the gang communicates. Not only does this make it easier to identify gang members, but it also provides a picture of how the gang selects its targets, how it overcomes obstacles, and how roles are divided within the gang.
Tactics, Techniques & Procedures (TTPs)
In addition to the communication between the members, a collection of Tactics, Techniques & Procedures was also seized. In such documentation, a gang keeps track of how it achieves its goal. How do you enter a company? What software does the gang use for their purposes, and how?
The documents show that the gang makes extensive use of well-known open-source software such as Cobalt Strike. This software is used by ‘the defense’ to test its own security; the so-called pen-testing. In terms of techniques, for example, the gang kept track of how to get to specific types of backups (Shadow Protect SPX) to make recovery more difficult. Finally, this also reveals how the gang actively exploited a number of Proof-of-Concept exploits, vulnerabilities disclosed by researchers.
Cybercriminals don’t know everything either! The training material was also found at the aforementioned TTPs. This includes Russian-spoken training videos, sometimes even with video footage of an alleged gang member. For example, new or less experienced gang members learn how to use Cobalt Strike, how to find vulnerabilities in a network, and how to abuse the Windows Active Directory.
Source code cuts both ways
Finally, the source code of the infamous TrickBot malware has been leaked. This allows authorities and researchers to see exactly how the malware works: how does it move? How does TrickBot hide in a network? With this information, security and detection software can be explicitly trained to recognize, fix or even prevent TrickBot infections.
Yet this knife cuts both ways because other cybercriminals can also learn from the TrickBot code. For example, a better TrickBot can be written or parts are used to improve other malware families. After all, these gangs are about money and they are each other’s competitors.
Catch up on more articles here
Follow us on Twitter here