Ransomware hackers have sparked international action, but they are often informal enterprises that can turn on one another.
The files, posted to a forum frequented by Russian-speaking cybercriminals and reviewed by NBC News, include numerous instruction manuals allegedly belonging to Conti, a Russian-speaking hacker group that has attacked several hospitals, including health care chains in the U.S., and Ireland’s national system, the Health Service Executive.
Someone claiming to work with one of the most notorious ransomware gangs says they’re fed up with how extortion money is divvied up and has leaked a host of the gang’s files on a hacker forum.
In one step-by-step guide, written in Russian, members are instructed how to identify and hack victims using Cobalt Strike, software that includes a number of known hacking programs. While built for defenders to test their own systems, Cobalt Strike has become a popular tool for criminal hackers.
The leak appears authentic, said Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, as it describes the attacks as coming from the same servers that his company already tracked as Conti. Some of the files show IP addresses Conti used for Cobalt Strike attacks, which Recorded Future had seen before.
The guide tells members that step one is to use Google to search for a potential target company’s revenue. Hackers are then instructed to find employee accounts that have the company’s administrative…