An affiliate of the Conti Ransomware gang has allegedly leaked several pieces of sensitive information regarding the threat actor, such as IP addresses for Cobalt Strike C2 servers, training materials, and numerous tools. Together, the information reveals how the group conducts its malicious attacks. The individual released the information after alleging that the cybercriminal organization underpaid him for his work, claiming to have received only $1,500.

A security researcher uncovered the post, which was shared to an online forum by the disgruntled affiliate. The information exposed is integral to Conti’s ransomware-as-a-service (RaaS) operation, according to researchers. RaaS is a model in which an experienced ransomware developer creates and manages the resources such as tools and infrastructure needed to perform attacks. Recruited affiliates then typically do the heavy lifting and receive financial compensation. Apparently, Conti failed to pay the affiliate an adequate amount following his efforts.