Inside a Ransomware Gang

Ransomware attacks have reached maximum attention from private entities and public institutions. The White House, through various channels, has addressed this subject following attacks on Colonial Pipeline and Kaseya. In Italy, the attack on the Lazio region caused the same disruptions observed in similar situations in the U.S.A.

Behind these cyber attacks operate well-organized groups, developers who refine their tools, and Penetration Testers recruited for infrastructure compromise (also known as Operators).

Criminals seeking collaborators

Criminal actors continuously seek collaborations to expand their operations. In this specific case, a criminal group, through a form of Job Posting, is recruiting individuals to perform Penetration Tester activities.

The post was followed by a comment from an “angry” user affiliated with this group, disclosing critical information about their attacks and organizational structure. The user also shared details on Command & Control servers and attached a guide documenting all steps followed by the criminals to compromise infrastructure. Examples include procedures for executing Brute-force attacks, data exfiltration, and disk encryption. Our Cyber Threat Intelligence operations tracked this disclosure across multiple threat forums.

The group appears to be affiliated with the notorious Conti RaaS operation.

Hours later, the recruitment post containing screenshots and the guide were removed by the forum administrator. The user subsequently created a separate post reposting all materials. Among the comments, a response from a user connected to the LockBit 2.0 RaaS service expressed dissatisfaction.