Hackers use Conti’s leaked ransomware to attack Russian companies


A hacking team applied the Conti’s leaked ransomware resource code to produce their have ransomware to use in cyberattacks in opposition to Russian corporations.

Although it is frequent to listen to of ransomware attacks concentrating on providers and encrypting details, we almost never listen to about Russian companies getting attacked in the same way.

This lack of assaults is owing to the typical belief by Russian hackers that if they do not attack Russian pursuits, then the country’s law enforcement would change a blind eye towards attacks on other countries.

Having said that, the tables have now turned, with a hacking group regarded as NB65 now concentrating on Russian businesses with ransomware assaults.

Ransomware targets Russia

For the past month, a hacking group acknowledged as NB65 has been breaching Russian entities, stealing their knowledge, and leaking it on the internet, warning that the attacks are owing to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking group include doc administration operator Tensor, Russian space agency Roscosmos, and VGTRK, the point out-owned  Russian Television and Radio broadcaster.

NB65 tweet about attack on VGTRK

The assault on VGTRK was especially major as it led to the alleged theft of 786.2 GB of knowledge, which include 900,000 e-mails and 4,000 data files, which were released on the DDoS Techniques site.

More lately, the NB65 hackers have turned to a new tactic — concentrating on Russian corporations with ransomware attacks because the finish of March.

What tends to make this extra interesting, is that the hacking team developed their ransomware working with the leaked source code for the Conti Ransomware procedure, which are Russian threat actors who prohibit their associates from attacking entities in Russia.

NB65 tweet about use of Conti ransomware

Conti’s resource code was leaked following they sided with Russia around the attack on Ukraine, and a security researcher leaked 170,000 internal chat messages and source code for their procedure.

BleepingComputer initial learned of NB65’s attacks by threat analyst Tom Malka, but we could not find a ransomware sample, and the hacking team was not keen to share it.

Even so, this changed yesterday when a sample of the NB65’s modified Conti ransomware executable was uploaded to VirusTotal, enabling us to get a glimpse of how it operates.

Virtually all antivirus distributors detect this sample on VirusTotal as Conti, and Intezer Analyze also established it takes advantage of 66% of the same code as the normal Conti ransomware samples.

BleepingComputer gave NB65’s ransomware a run, and when encrypting data files, it will append the .NB65 extension to the encrypted file’s names.

Files encrypted by NB65's ransomware
Information encrypted by NB65’s ransomware
Resource: BleepingComputer

The ransomware will also build ransom notes named R3ADM3.txt all through the encrypted machine, with the risk actors blaming the cyberattack on President Vladimir Putin for invading Ukraine.

“We’re viewing pretty intently.  Your President really should not have commited war crimes. If you are seeking for an individual to blame for your existing predicament look no additional than Vladimir Putin,” reads the NB65 ransomware notice displayed below.

Ransom note for NB65 ransomware
Ransom take note for NB65 ransomware
Source: BleepingComputer

A consultant for the NB65 hacking team explained to BleepingComputer that they dependent their encryptor on the to start with Conti source code leak but modified it for each individual sufferer so that existing decryptors would not function.

“It really is been modified in a way that all versions of Conti’s decryptor is not going to function. Each individual deployment generates a randomized key centered off of a few variables that we alter for every target,” NB65 instructed BleepingComputer.

“There is certainly seriously no way to decrypt with out making make contact with with us.”

At this time, NB65 has not been given any communications from their victims and told us that they were being not anticipating any.

As for NB65’s reasons for attacking Russian corporations, we will allow them talk for them selves.

“Immediately after Bucha we elected to focus on sure organizations, that may well be civilian owned, but continue to would have an effects on Russias capability to function typically.  The Russian common help for Putin’s war crimes is overpowering.  From the quite commencing we designed it apparent.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and finishes this absurd war NB65 will end attacking Russian world wide web dealing with assets and companies.

Right until then, fuck em. 

We will not be hitting any targets outside of Russia.  Groups like Conti and Sandworm, alongside with other Russian APTs have been hitting the west for decades with ransomware, provide chain hits (Solarwinds or protection contractors)… We figured it was time for them to offer with that them selves.”

You may also like