IE 11 is not supported. For an optimal experience visit our site on another browser.

Step 1: Do a Google search. Ransomware hacker goes rogue, leaks gang's plan.

Ransomware hackers have sparked international action, but they are often informal enterprises that can turn on one another.
Covid-19 Community Testing Centre at Croke Park Stadium
Testers at a facility in Dublin's Croke Park in May 2020. Conti, a Russian-speaking hacker group, has attacked health care chains in the U.S. and Ireland’s national system, the Health Service Executive.Ray McManus / Sportsfile via Getty Images file

Someone claiming to work with one of the most notorious ransomware gangs says they’re fed up with how extortion money is divvied up and has leaked a host of the gang's files on a hacker forum.

The files, posted to a forum frequented by Russian-speaking cybercriminals and reviewed by NBC News, include numerous instruction manuals allegedly belonging to Conti, a Russian-speaking hacker group that has attacked several hospitals, including health care chains in the U.S., and Ireland’s national system, the Health Service Executive.

In one step-by-step guide, written in Russian, members are instructed how to identify and hack victims using Cobalt Strike, software that includes a number of known hacking programs. While built for defenders to test their own systems, Cobalt Strike has become a popular tool for criminal hackers.

The guide tells members that step one is to use Google to search for a potential target company's revenue. Hackers are then instructed to find employee accounts that have the company's administrative privileges, and how to use that information to deploy ransomware that would encrypt their entire network to hold it hostage for a ransom.

The leak appears authentic, said Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, as it describes the attacks as coming from the same servers that his company already tracked as Conti. Some of the files show IP addresses Conti used for Cobalt Strike attacks, which Recorded Future had seen before.

A screenshot from the leaked files detailing the first steps to launch a ransomware attack.
A screenshot from the leaked files detailing the first steps to launch a ransomware attack.

Ransomware hackers have attacked American schools, hospitals and companies with apparent impunity, sparking international action. But ransomware gangs are often informal enterprises that can turn on one another. The leak shows how much of Conti’s operations are apparently contracted out from principal gang members to affiliate hackers, a relationship that can grow sour.

"What’s interesting to me about this is how much of it is scripted," Liska said.

The hacker who leaked the information has been an active affiliate of Conti ransomware for months, Liska said. 

In their post leaking the files, the user, whose role in Conti’s operation has been to find vulnerabilities in potential victims’ networks, complained that those at the top of the gang took too large a percentage of the extortion money.

"They recruit suckers and divide the money among themselves," the user posted in Russian.