Hackers use Conti’s leaked ransomware to attack Russian companies

A hacking group applied the Conti’s leaked ransomware resource code to create their individual ransomware to use in cyberattacks against Russian businesses.

Though it is prevalent to listen to of ransomware attacks concentrating on corporations and encrypting facts, we rarely hear about Russian organizations acquiring attacked in the same way.

This deficiency of assaults is due to the general belief by Russian hackers that if they do not attack Russian interests, then the country’s legislation enforcement would flip a blind eye toward attacks on other international locations.

Nonetheless, the tables have now turned, with a hacking group acknowledged as NB65 now concentrating on Russian companies with ransomware attacks.

Ransomware targets Russia

For the past thirty day period, a hacking team acknowledged as NB65 has been breaching Russian entities, thieving their facts, and leaking it on the web, warning that the attacks are owing to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking team include document administration operator Tensor, Russian space agency Roscosmos, and VGTRK, the condition-owned  Russian Television and Radio broadcaster.

The attack on VGTRK was specially significant as it led to the alleged theft of 786.2 GB of facts, such as 900,000 e-mail and 4,000 documents, which were posted on the DDoS Techniques website.

A lot more lately, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware attacks considering the fact that the close of March.

What will make this additional attention-grabbing, is that the hacking group designed their ransomware using the leaked supply code for the Conti Ransomware operation, which are Russian danger actors who prohibit their members from attacking entities in Russia.

Conti’s source code was leaked following they sided with Russia around the assault on Ukraine, and a protection researcher leaked 170,000 inside chat messages and resource code for their procedure.

BleepingComputer very first uncovered of NB65’s assaults by threat analyst Tom Malka, but we could not find a ransomware sample, and the hacking group was not willing to share it.

However, this improved yesterday when a sample of the NB65’s modified Conti ransomware executable was uploaded to VirusTotal, permitting us to get a glimpse of how it performs.

Pretty much all antivirus distributors detect this sample on VirusTotal as Conti, and Intezer Review also determined it employs 66% of the identical code as the usual Conti ransomware samples.

BleepingComputer gave NB65’s ransomware a operate, and when encrypting data files, it will append the .NB65 extension to the encrypted file’s names.

The ransomware will also make ransom notes named R3ADM3.txt throughout the encrypted gadget, with the danger actors blaming the cyberattack on President Vladimir Putin for invading Ukraine.

“We are viewing really intently.  Your President need to not have commited war crimes. If you’re seeking for somebody to blame for your present circumstance search no further more than Vladimir Putin,” reads the NB65 ransomware take note displayed beneath.

A consultant for the NB65 hacking group told BleepingComputer that they centered their encryptor on the initial Conti source code leak but modified it for each individual victim so that current decryptors would not get the job done.

“It truly is been modified in a way that all versions of Conti’s decryptor will not get the job done. Each and every deployment generates a randomized critical based mostly off of a couple variables that we change for just about every goal,” NB65 informed BleepingComputer.

“You will find really no way to decrypt without having generating call with us.”

At this time, NB65 has not obtained any communications from their victims and told us that they have been not anticipating any.

As for NB65’s reasons for attacking Russian businesses, we will enable them communicate for them selves.

“Immediately after Bucha we elected to focus on specific providers, that might be civilian owned, but however would have an effect on Russias means to function typically.  The Russian common assistance for Putin’s war crimes is mind-boggling.  From the incredibly commencing we made it distinct.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and finishes this ridiculous war NB65 will halt attacking Russian internet dealing with belongings and companies.

Right until then, fuck em. 

We will not be hitting any targets exterior of Russia.  Groups like Conti and Sandworm, alongside with other Russian APTs have been hitting the west for years with ransomware, offer chain hits (Solarwinds or defense contractors)… We figured it was time for them to offer with that themselves.”