"Conti Ransomware Gang's Playbook Gets Translated Into English, Gives Insight Into Attacks"
Researchers from Cisco Talos were able to translate the Conti ransomware gang's leaked internal materials, thus revealing details about the group's attack methods. The materials suggest that their attack methods were designed to allow low-skilled actors to successfully launch attacks against targets considered valuable. The ransomware gang's attack playbook was leaked by an unhappy Conti member. Following the leak, the researchers analyzed them and released an English translation, clarifying the steps and tools involved in a Conti attack. The documents revealed detailed information on attack scenarios that amateur hackers could perform. Though these attacks could be performed by low-skilled hackers, they have the potential to cause significant destruction. The instructions teach Conti's affiliates how to gain administrator access to a targeted network after using provided commands and tools to list users, specifically those that have Active Directory access. They also detail the performance of simple reconnaissance such as checking LinkedIn and other social media platforms to identify employees who could have privileged network access. The Cobalt Strike red-teaming framework and its cracked version 4.3 was the most popular tool in the instructions. There were also instructions on how to exploit the ZeroLogon vulnerability, PrintNightmare, and other critical bugs. Some of the tools described by the group are not what researchers usually see during incident response. These tools include SharpView, a .NET port of the PowerView tool from the PowerShell-based PowerSploit offensive toolkit, Armitage, a Java-based GUI front-end for the Metasploit penetration testing platform, and SharpChrome, a tool for decrypting logins and cookies in Chrome. Common-line utilities mentioned in the leaked documents included ADFind, SMBAutoBrute, and AnyDesk. The leak also contained video tutorials on how to use PowerShell to carry out different tasks such as penetration testing and attacking the Active Directory. Defenders could use the leak to implement better strategies and controls for detecting such attacks. This article continues to discuss the translation of the Conti ransomware gang's playbook, the information contained by the leaked instructions, and how defenders could take advantage of this information.