Threat Actor ‘m1Geelka’ Leaks Tools Allegedly Used To Support CONTI Operations

BACKGROUND:

The actor “m1Geelka” shared a link to a RAR archive containing manuals and tools allegedly provided to actors distributing CONTI ransomware. By sharing this toolset, m1Geelka has made these resources available to a much broader set of threat actors.

Experts Comments

August 09, 2021
Charles Carmakal
SVP and CTO
Mandiant

The leak of the Conti data will enable defenders to better understand how Conti-affiliated actors conduct their intrusion operations. However, it will also help other threat actors learn new techniques to conduct intrusion operations. I have no doubt that within the next 12 months, situations will arise where victims pay threat actors for a promise to not publish data that was stolen, yet it will be released by an affiliate that gets upset with the RaaS. One reason for this may be because an

.....Read More

The leak of the Conti data will enable defenders to better understand how Conti-affiliated actors conduct their intrusion operations. However, it will also help other threat actors learn new techniques to conduct intrusion operations. I have no doubt that within the next 12 months, situations will arise where victims pay threat actors for a promise to not publish data that was stolen, yet it will be released by an affiliate that gets upset with the RaaS. One reason for this may be because an affiliate does not get paid by the RaaS operator or they don't feel like they got their fair share. There's more risk today of a victim paying a threat actor solely for a promise to not publish the data that they stole.

  Read Less
August 09, 2021
Kimberly Goody
Manager, Cybercrime Analysis
FireEye

The leaking of these documents highlights the broader trend of generally well-resourced groups recruiting and training new members by equipping them with what equates to a “how-to” guide for ransomware operations. Groups such as this also leverage private chat channels allowing for troubleshooting with actors who may be more skilled or experienced. This isn’t unique to these actors though. We’ve seen other groups operate similarly, ultimately enabling a greater number of actors to learn

.....Read More

The leaking of these documents highlights the broader trend of generally well-resourced groups recruiting and training new members by equipping them with what equates to a “how-to” guide for ransomware operations. Groups such as this also leverage private chat channels allowing for troubleshooting with actors who may be more skilled or experienced. This isn’t unique to these actors though. We’ve seen other groups operate similarly, ultimately enabling a greater number of actors to learn how to conduct these attacks. One potential benefit of this leak is that the documentation is now available to defenders who may have not previously seen these tactics used against them and now can review the documentation to potentially enable better defenses.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.