Angry Conti ransomware affiliate reveals gang’s playbook

When launching attacks, a disgruntled Conti affiliate revealed the gang’s training material, which included information about one of the ransomware’s operators.


Conti Ransomware is a ransomware-as-a-service (RaaS) operation in which the core team controls the malware and Tor sites while recruited affiliates undertake network hacks and encrypt devices.




The core team receives 20-30% of a ransom payment in this model, while the affiliates receive the remainder.


A security researcher posted a post on a major Russian-language hacker forum that was created by an outraged Conti affiliate who publicly revealed information about the ransomware operation.


The IP addresses for Cobalt Strike C2 servers, as well as a 113 MB archive comprising several tools and training materials for executing ransomware operations, are included in this information.



Forum post from disgruntled affiliate
Forum post from disgruntled affiliate




The affiliate posted the video because he was only paid $1,500 for his involvement in the attack, while the rest of the gang is making millions and promises large payouts once a victim pays a ransom.


Along with the message, photos of Cobalt Strike beacon settings were uploaded, which contained the IP addresses for the ransomware gang’s command and control servers.


To prevent assaults from the gang, security researcher Pancak3 tweeted that everyone should block certain IP addresses.


The affiliate then sent an archive containing 111 MB of information, including hacking tools, Russian-language manuals, training materials, and help documents that are purportedly handed to affiliates while undertaking Conti ransomware assaults.


The training material matches active Conti cases, according to Advanced Intel’s Vitali Kremez, who has already studied the archive.


According to insiders, the Conti banned the pentester after discovering that he was stealing business from them by advertising an unknown affiliate network.


As retaliation for being blacklisted, the affiliate disclosed Conti’s training materials and equipment.


The leak, according to Kremez, demonstrates the vulnerability of ransomware-as-a-service operations, since it demonstrates how a disgruntled affiliate might expose carefully cultivated information and resources utilised in assaults.



You might also like:


DarkSide ransomware gang is back as BlackMatter operation

Haron and BlackMatter ransomware groups appeared on hacker forum