A hacking group used Conti’s leaked ransomware source code to create their own ransomware for cyber attacks against Russian organizations.
While it’s common to hear that ransomware attacks target businesses and encrypt data, we rarely hear of Russian organizations being attacked in the same way.
This lack of attacks is due to Russian hackers’ common belief that if they don’t attack Russian interests, the country’s law enforcement officers will turn a blind eye to attacks on other countries.
However, the tables have now turned: a hacking group known as NB65 is now targeting Russian organizations with ransomware attacks.
Ransomware targets Russia
In the past month, a hacking group known as NB65 hacked into Russian entities, stole their data and leaked it online, warning that the attacks are due to the Russian invasion of Ukraine.
The Russian entities claimed to have been attacked by the hacking group include: document management operator Tensor† Russian space agency Roscosmosand VGTRK, the state-owned Russian television and radio station.
The attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, including 900,000 emails and 4,000 files, which were published on the DDoS Secrets website.
More recently, the NB65 hackers have adopted a new tactic: targeting Russian organizations with ransomware attacks since late March.
What makes this more interesting is that the hacking group created their ransomware using the leaked source code for the Conti Ransomware operation, which are Russian threat actors that prohibit their members from attacking entities in Russia.
Conti’s source code was leaked after they sided with Russia over the attack on Ukraine, and a security researcher leaked 170,000 internal chat messages and source code for their operation.
BleepingComputer first heard of NB65’s attacks by threat analyst Tom Malkabut we couldn’t find a ransomware sample and the hacking group was unwilling to share it.
However, this changed yesterday when a sample of the NB65’s custom Conti ransomware executable was uploaded to VirusTotal so we could get a glimpse of how it works.
Almost all antivirus vendors detect this sample on VirusTotal as Conti, and Intezer Analysis has also found that it uses 66% of the same code as the usual Conti ransomware samples.
BleepingComputer gave the NB65 ransomware a run, and when encrypting files, it will append the .NB65 extension to the names of the encrypted files.
Files encrypted by NB65 ransomware ransomware
Source: BleepingComputer
The ransomware also creates ransom notes called R3ADM3.txt on the encrypted device, with the threat actors blaming the cyber attack on President Vladimir Putin for invading Ukraine.
“We’re watching closely. Your president shouldn’t have committed any war crimes. If you’re looking for someone to blame for your current situation, look no further than Vladimir Putin,” reads the NB65 ransomware note. Below.
Ransom note for NB65 ransomware
Source: BleepingComputer
A representative of the NB65 hacking group told BleepingComputer that they based their encryptor on the first Conti source code leak, but modified it for each victim so that existing decryptors wouldn’t work.
“It has been modified so that all versions of Conti’s decryptor will not work. Each implementation generates a randomized key based on a number of variables that we change for each purpose,” NB65 told BleepingComputer.
“There’s really no way to decrypt without contacting us.”
At this point, NB65 has not received any messages from their victims and told us they were not expecting any.
As for NB65’s reasons for attacking Russian organizations, we will let them speak for themselves.
“After Bucha, we chose to attack certain companies, which may be civilian-owned, but would nevertheless have an impact on Russia’s ability to operate normally. Russian popular support for Putin’s war crimes has been overwhelming We made it clear from the very beginning Support Ukraine We will honor our word When Russia ends all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet assets and companies.
Until then, fuck em.
We will not hit targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs, have been hitting the West for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We thought it was time for them to tackle that themselves.”
This post Hackers Use Conti’s Leaked Ransomware to Attack Russian Companies
was original published at “https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/”