Ransomware gang’s Cobalt Strike servers receive anti-Russia messages in a series of DDoS
There has been a flood of anti-Russian messages to Cobalt Strike servers run by former Conti ransomware gang members in order to disrupt their operations. At the time, TeamServers (C2) used by ransomware actors to control the Cobalt Strike (CS) Beacon payloads on compromised hosts are being tracked by someone, allowing for lateral network movement.
There has been a flood of anti-Russian messages to Cobalt Strike servers run by former Conti ransomware gang members in order to disrupt their operations.
Although the operators of Conti ransomware turned off their infrastructure this year in May, its members are now a part of other ransomware groups, including Quantum, Hive, and BlackCat.
At the time, TeamServers (C2) used by ransomware actors to control the Cobalt Strike (CS) Beacon payloads on compromised hosts are being tracked by someone, allowing for lateral network movement. When they go inside the CS servers, the usernames they use are ‘Stop Putin!’, or they change their computer name to messages like ‘Be a Russian patriot!’, and ‘Stop the war!’ It is unknown who is sending these messages, as it could be anyone from a security researcher to law enforcement or even a cybercriminal with a grudge for siding with Russia, BleepingComputer reports.
In the end, the disruption was only temporary, and the ransomware actor returned to the scene with a more robust infrastructure, allowing them to keep the stolen data accessible even in the face of distributed denial-of-service (DDoS) attacks.