Researchers at Cisco Talos have translated a playbook used by the ransomware-as-a-service group Conti. The playbook contains detailed instructions for how to gain administrator access, including searching social media to find employees to target.
“The adversaries list several ways to hunt for administrator access once on the victim network,” the researchers write. “They use commands such as Net to list users and tools like AdFind to enumerate users with access to Active Directory, and even OSINT, including the use of social media sites like LinkedIn to identify roles and users with privileged access. They note that this hunting process is particularly easy in U.S. and EU networks because of how they are structured and how roles and responsibilities are commonly detailed in comments.”
The researchers note the gang is fairly well-organized and educated on corporate network structures.
“References to team leads, chats and conferences indicate that the group is at least somewhat well-organized,” the researchers write. “They also display a familiarity with corporate network environments, such as where prized assets are located and how to access them. This is particularly true for U.S. and European networks, which they note have enhanced documentation that provides for easier targeting. Of note, the only ‘geographical’ mention by the adversaries was the mention of U.S./EU active directory (AD) structures. Their instructions, which are meticulous and easy to follow, also demonstrate that they are efficient and methodical.”
Talos also stresses that the manual allows less-technical criminals to carry out sophisticated ransomware attacks.
“One of the biggest takeaways during the translation was the overall thoroughness and detail of these playbooks,” the researchers write. “The level of detail provided could allow even amateur adversaries to carry out destructive ransomware attacks, a much lower barrier to entry than other forms of attacks. This lower barrier to entry also may have led to the leak by a disgruntled member who was viewed as less technical (aka ‘a script kiddie’) and less important.”
New-school security awareness training can enable your employees to thwart social engineering attacks.
Cisco Talos has the story.