Disgruntled Conti Affiliate Leaks Ransomware Training Documents
Even ransomware affiliates are prone to feeling as though they are getting extorted. On August 5, 2021, a former affiliate of the Conti Ransomware collective posted a number of “training documents” on the Russian language XSS forum. The documents are normally used for affiliate onboarding, by providing instructions and manuals regarding technical development and operational security. The leak also included tools such as Cobalt Strike Version CS4.3, Proxifier, and RouterScan, as well as a series of Russian language text documents with names such as “domains”, “disabling defender”, and “how and what information to download.” The starting salary advertised by the Conti leadership was set at $1,500 USD, however the threat actor who leaked the files openly questioned their advertisement. The threat actor noted that the Conti leadership traditionally charges affiliates $1,500 USD for the package.
The threat actor also posted the IP addresses of the Conti operators and the contents of their internal chat logs. Why is the threat actor so disgruntled? They claimed that rather than hiring affiliates to work with, they are exploiting them for cheap labor and offering them only a small share of the profits. Talk about double-extortion!
Clearly, the Conti affiliates should have included a non-disparagement and non-disclosure clause in their affiliate contracts. The post has since been deleted by the XSS administrators for leaking sensitive documents into public. The leaker was banned, not before claiming that they will post the files on the Russian language Exploit forum.
Some users commented on the brazen attitude of the leaker. Others lamented that carefully guarded tactics, techniques, and procedures are now being leaked to the public, including security researchers. The threat actor leaking the files claimed that less than 30% of the content was released, leaving out more important files that could compromise future operations. They hinted that the leak was a form of silent protest against the operators, which other users echoed by questioning the utility of the content.
While the forum users question the value of the material, several documents do appear useful for identifying active campaigns. For example, several IP addresses from Cobalt Strike servers were included in the documents. Further, they may have associated several other users as ransomware operators, resulting in bans from forum administrators. While the ban may have a limited impact on ransomware operations, it may affect the ability to recruit affiliates.
Track Ransomware Trends at the Source with Flashpoint
Sign up for a demo and see how Flashpoint gives you the data that you need to identify, track and mitigate the impact of ransomware actors. Our comprehensive ransomware dashboard provides access to Flashpoint’s collections of ransomware-specific sites, allowing users to monitor activity in malicious communities more comprehensively and measure the risk impacting the organization or brand. Contact us today, and stay ahead of the threats.