According to researchers, Conti, the group that provides ransomware as a service (RAAS), just exposed their playbook. In addition to the Cobalt Strike handbook that was used in the creation of the playbook, it has provided a wealth of information on the threat actors.

Leaked playbook

Conti’s angry partner is alleged to have leaked the confidential playbook documents.

  • Cybercriminals could use the documentation’s amount of detail to carry out cyberattacks, according to researchers.
  • In addition to using technologies such as AdFind to find users with Active Directory access, the attackers also use OSINT and LinkedIn to discover persons with privileged access.

Also read,

  • Cobalt Strike, a threat emulation software, is one of the most important instruments in the playbook. Armitage, SharpChrome, SharpView and Seatbelt are some of the additional instruments that are employed.
  • CVE-2020-1472 (Zerologon) vulnerability employing Cobalt Strike was also disclosed by the attackers.

Source code Leaker:

  • m1Geelka is the accused leaker. It’s possible that they are Conti’s low-level partners.
  • To now, it appears that no money was exchanged for services rendered, and that the its release was motivated by vengeance.
  • Afterwards, the partner clarified that the records were shared in order to better understand Conti, and not as a form of retribution
  • Anti-virus software was able to identify only those components that were exposed, and no private code was leaked.

To the security community, Conti’s playbook offers a glimpse into the behaviors of these groups and the technologies they prefer to rely on when conducting their attacks. As a result, security analysts and researchers have an opportunity to put in place the necessary logic to detect and neutralize such risks.