Get in Touch
Please get in touch using the form below.
Leaked Ransomware Tools
Overview
In the past few weeks, ransomware gangs have had data of their own leaked, giving insight into their operations.
The Conti group had a set of tools and training documents released onto a Russian language forum. This contained information about their processes which can be used by Defenders to help detect their activity.
More recently, security researchers have gotten hold of a PowerShell script belonging to the Pysa group. This script is for initial reconnaissance on victims’ networks and shows the types of data that Pysa is most interested in targeting.
Impact
This data can be used to build detections against these groups’ activity.
Indicators of Compromise
C2 IPs
162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1
Threat Landscape
The targeting scripts included with both leaks have a focus on financial information. Search terms such as “billing”, “payment” or “payroll” would surface particularly sensitive information that a victim would want to keep private. Otherwise, it could be used for fraud if the victim does not pay the ransom.
The Conti targeting includes insurance and policy documents which suggest they may be particularly interested in companies with cyber insurance as this can be an indicator that a company is more likely to pay out a ransom.
Mitre Methodologies
– S0154 – Cobalt Strike
– T1083 – File and Directory Discovery
Further Information
conti-pentester-guide-leak
Bleeping Computer – Ransomware gang’s script shows exactly the files they’re after