The actor “m1Geelka” shared a link to a RAR archive containing manuals and tools allegedly provided to actors distributing CONTI ransomware. By sharing this toolset, m1Geelka has made these resources available to a much broader set of threat actors.
<p><span style=\"font-family: Arial;\">The leak of the Conti data will enable defenders to better understand how Conti-affiliated actors conduct their intrusion operations. However, it will also help other threat actors learn new techniques to conduct intrusion operations. I have no doubt that within the next 12 months, situations will arise where victims pay threat actors for a promise to not publish data that was stolen, yet it will be released by an affiliate that gets upset with the RaaS. One reason for this may be because an affiliate does not get paid by the RaaS operator or they don\’t feel like they got their fair share. There\’s more risk today of a victim paying a threat actor solely for a promise to not publish the data that they stole.</span></p>
<p><span style=\"font-family: Arial;\">The leaking of these documents highlights the broader trend of generally well-resourced groups recruiting and training new members by equipping them with what equates to a “how-to” guide for ransomware operations. Groups such as this also leverage private chat channels allowing for troubleshooting with actors who may be more skilled or experienced. This isn’t unique to these actors though. We’ve seen other groups operate similarly, ultimately enabling a greater number of actors to learn how to conduct these attacks. One potential benefit of this leak is that the documentation is now available to defenders who may have not previously seen these tactics used against them and now can review the documentation to potentially enable better defenses.</span></p>