May 27, 2022


Future Technology

Hackers use Conti’s leaked ransomware to attack Russian companies


A hacking team employed the Conti’s leaked ransomware supply code to create their individual ransomware to use in cyberattacks from Russian organizations.

Whilst it is typical to hear of ransomware attacks focusing on businesses and encrypting information, we seldom hear about Russian organizations finding attacked likewise.

This lack of attacks is due to the standard belief by Russian hackers that if they do not attack Russian passions, then the country’s regulation enforcement would flip a blind eye toward attacks on other international locations.

However, the tables have now turned, with a hacking team identified as NB65 now targeting Russian corporations with ransomware attacks.

Ransomware targets Russia

For the earlier thirty day period, a hacking group regarded as NB65 has been breaching Russian entities, thieving their data, and leaking it on-line, warning that the attacks are because of to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking team include doc management operator Tensor, Russian place agency Roscosmos, and VGTRK, the state-owned  Russian Tv and Radio broadcaster.

NB65 tweet about attack on VGTRK

The assault on VGTRK was especially significant as it led to the alleged theft of 786.2 GB of info, like 900,000 e-mails and 4,000 files, which were posted on the DDoS Tricks web-site.

A lot more just lately, the NB65 hackers have turned to a new tactic — targeting Russian companies with ransomware attacks since the conclusion of March.

What would make this much more attention-grabbing, is that the hacking group developed their ransomware using the leaked source code for the Conti Ransomware operation, which are Russian risk actors who prohibit their customers from attacking entities in Russia.

NB65 tweet about use of Conti ransomware

Conti’s resource code was leaked following they sided with Russia about the assault on Ukraine, and a safety researcher leaked 170,000 inner chat messages and source code for their operation.

BleepingComputer to start with acquired of NB65’s attacks by risk analyst Tom Malka, but we could not locate a ransomware sample, and the hacking team was not eager to share it.

Even so, this adjusted yesterday when a sample of the NB65’s modified Conti ransomware executable was uploaded to VirusTotal, allowing for us to get a glimpse of how it will work.

Nearly all antivirus sellers detect this sample on VirusTotal as Conti, and Intezer Evaluate also decided it takes advantage of 66% of the same code as the typical Conti ransomware samples.

BleepingComputer gave NB65’s ransomware a run, and when encrypting files, it will append the .NB65 extension to the encrypted file’s names.

Files encrypted by NB65's ransomware
Data files encrypted by NB65’s ransomware
Supply: BleepingComputer

The ransomware will also generate ransom notes named R3ADM3.txt throughout the encrypted device, with the risk actors blaming the cyberattack on President Vladimir Putin for invading Ukraine.

“We’re looking at quite closely.  Your President must not have commited war crimes. If you’re exploring for a person to blame for your recent scenario glimpse no more than Vladimir Putin,” reads the NB65 ransomware be aware exhibited beneath.

Ransom note for NB65 ransomware
Ransom take note for NB65 ransomware
Supply: BleepingComputer

A consultant for the NB65 hacking group instructed BleepingComputer that they based mostly their encryptor on the initially Conti supply code leak but modified it for every single victim so that present decryptors would not function.

“It truly is been modified in a way that all variations of Conti’s decryptor will not likely operate. Each and every deployment generates a randomized vital based off of a couple variables that we change for each and every focus on,” NB65 advised BleepingComputer.

“There is seriously no way to decrypt without having producing contact with us.”

At this time, NB65 has not received any communications from their victims and advised us that they have been not expecting any.

As for NB65’s explanations for attacking Russian companies, we will enable them communicate for by themselves.

“Following Bucha we elected to goal specified firms, that may well be civilian owned, but even now would have an influence on Russias ability to operate generally.  The Russian well known assistance for Putin’s war crimes is overwhelming.  From the really commencing we produced it clear.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and finishes this preposterous war NB65 will prevent attacking Russian online facing belongings and organizations.

Until then, fuck em. 

We will not be hitting any targets outdoors of Russia.  Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for several years with ransomware, offer chain hits (Solarwinds or defense contractors)… We figured it was time for them to offer with that them selves.”

Resource url