Security News > 2021 > August > Conti ransomware prioritizes revenue and cyberinsurance data theft
Training material used by Conti ransomware affiliates was leaked online this month, allowing an inside look at how attackers abuse legitimate software and seek out cyber insurance policies.
An interesting tactic used by the ransomware gang is using the legitimate Atera remote access software as a backdoor for continued persistence.
One of the leaked documents titled 'CobaltStrike MANUAL V2.docx' details the specific steps that an affiliate should use when conducting a Conti ransomware attack.
After the first stage of the attack, which is to breach the network, gather credentials, and gain control of the Windows domain, the threat actors tell their affiliates to start exfiltrating data from the compromised network.
When first exfiltrating data from the victim's servers, the Conti ransomware gang will specifically look for documents related to the company's financials and whether they have a cybersecurity policy.
The ransomware gang tells the affiliates to "Prepares datapack right away" and immediately upload the data to Mega, which they used as a hosting platform for the exfiltrated data.