Home / About / Threat Intelligence / Leaked Ransomware Tools

Overview

In the past few weeks, ransomware gangs have had data of their own leaked, giving insight into their operations.

The Conti group had a set of tools and training documents released onto a Russian language forum. This contained information about their processes which can be used by Defenders to help detect their activity.

More recently, security researchers have gotten hold of a PowerShell script belonging to the Pysa group. This script is for initial reconnaissance on victims’ networks and shows the types of data that Pysa is most interested in targeting.

Impact

This data can be used to build detections against these groups’ activity.

Indicators of Compromise

C2 IPs
162.244.80.235
85.93.88.165
185.141.63.120
82.118.21.1

Threat Landscape

The targeting scripts included with both leaks have a focus on financial information. Search terms such as “billing”, “payment” or “payroll” would surface particularly sensitive information that a victim would want to keep private. Otherwise, it could be used for fraud if the victim does not pay the ransom.

The Conti targeting includes insurance and policy documents which suggest they may be particularly interested in companies with cyber insurance as this can be an indicator that a company is more likely to pay out a ransom.

Mitre Methodologies

S0154 – Cobalt Strike
T1083 – File and Directory Discovery

Further Information

conti-pentester-guide-leak
Bleeping Computer – Ransomware gang’s script shows exactly the files they’re after