May 22, 2024

Tyna Woods

Technology does the job

Hackers use Conti’s leaked ransomware to attack Russian companies


A hacking group applied the Conti’s leaked ransomware resource code to build their very own ransomware to use in cyberattacks towards Russian businesses.

Although it is popular to hear of ransomware assaults focusing on organizations and encrypting information, we almost never listen to about Russian companies having attacked similarly.

This lack of attacks is owing to the normal belief by Russian hackers that if they do not assault Russian passions, then the country’s regulation enforcement would turn a blind eye toward assaults on other international locations.

On the other hand, the tables have now turned, with a hacking team identified as NB65 now focusing on Russian businesses with ransomware assaults.

Ransomware targets Russia

For the past thirty day period, a hacking team identified as NB65 has been breaching Russian entities, stealing their data, and leaking it on the internet, warning that the assaults are due to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking team include document administration operator Tensor, Russian place agency Roscosmos, and VGTRK, the condition-owned  Russian Television and Radio broadcaster.

NB65 tweet about attack on VGTRK

The attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, which include 900,000 email messages and 4,000 data files, which were being released on the DDoS Secrets and techniques web-site.

More a short while ago, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware assaults due to the fact the stop of March.

What can make this far more fascinating, is that the hacking group made their ransomware utilizing the leaked supply code for the Conti Ransomware procedure, which are Russian threat actors who prohibit their associates from attacking entities in Russia.

NB65 tweet about use of Conti ransomware

Conti’s supply code was leaked immediately after they sided with Russia about the assault on Ukraine, and a safety researcher leaked 170,000 internal chat messages and resource code for their operation.

BleepingComputer 1st realized of NB65’s assaults by risk analyst Tom Malka, but we could not uncover a ransomware sample, and the hacking team was not ready to share it.

On the other hand, this altered yesterday when a sample of the NB65’s modified Conti ransomware executable was uploaded to VirusTotal, letting us to get a glimpse of how it functions.

Nearly all antivirus suppliers detect this sample on VirusTotal as Conti, and Intezer Assess also identified it works by using 66% of the identical code as the standard Conti ransomware samples.

BleepingComputer gave NB65’s ransomware a run, and when encrypting files, it will append the .NB65 extension to the encrypted file’s names.

Files encrypted by NB65's ransomware
Information encrypted by NB65’s ransomware
Supply: BleepingComputer

The ransomware will also build ransom notes named R3ADM3.txt throughout the encrypted product, with the risk actors blaming the cyberattack on President Vladimir Putin for invading Ukraine.

“We’re watching incredibly intently.  Your President should not have commited war crimes. If you are hunting for a person to blame for your current situation glimpse no even further than Vladimir Putin,” reads the NB65 ransomware notice exhibited beneath.

Ransom note for NB65 ransomware
Ransom take note for NB65 ransomware
Source: BleepingComputer

A representative for the NB65 hacking team instructed BleepingComputer that they based mostly their encryptor on the first Conti source code leak but modified it for each and every target so that current decryptors would not get the job done.

“It really is been modified in a way that all variations of Conti’s decryptor would not work. Each and every deployment generates a randomized important based off of a couple variables that we transform for each and every focus on,” NB65 advised BleepingComputer.

“There is seriously no way to decrypt devoid of creating make contact with with us.”

At this time, NB65 has not obtained any communications from their victims and advised us that they were being not anticipating any.

As for NB65’s reasons for attacking Russian corporations, we will allow them converse for them selves.

“Soon after Bucha we elected to goal particular firms, that could be civilian owned, but even now would have an affect on Russias capacity to function commonly.  The Russian preferred guidance for Putin’s war crimes is frustrating.  From the very commencing we designed it crystal clear.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and finishes this absurd war NB65 will prevent attacking Russian world-wide-web going through assets and firms.

Until eventually then, fuck em. 

We will not be hitting any targets outdoors of Russia.  Groups like Conti and Sandworm, together with other Russian APTs have been hitting the west for decades with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to offer with that themselves.”