Russian Entities Are Being Attacked By Modified Conti Ransomware

Here’s a bit of a plot twist that I perhaps should have seen coming. You might recall that the Conti ransomware group kind of fell apart over Russia’s invasion of Ukraine and some of their source code leaked out to the public. Now it seems a group has used this source code to launch attacks on Russian entities.

You read that correctly. Russian entities are being attacked by ransomware. The group is known as NB65 and Bleeping Computer has the details:

For the past month, a hacking group known as NB65 has been breaching Russian entities, stealing their data, and leaking it online, warning that the attacks are due to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking group include document management operator Tensor, Russian space agency Roscosmos, and VGTRK, the state-owned  Russian Television and Radio broadcaster.

The attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, including 900,000 emails and 4,000 files, which were published on the DDoS Secrets website.

More recently, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware attacks since the end of March.

What makes this more interesting, is that the hacking group created their ransomware using the leaked source code for the Conti Ransomware operation, which are Russian threat actors who prohibit their members from attacking entities in Russia.

Bleeping Computer has actually made contact with NB65 and this is what the group had to say:

A representative for the NB65 hacking group told BleepingComputer that they based their encryptor on the first Conti source code leak but modified it for each victim so that existing decryptors would not work.

“It’s been modified in a way that all versions of Conti’s decryptor won’t work. Each deployment generates a randomized key based off of a couple variables that we change for each target,” NB65 told BleepingComputer.

“There’s really no way to decrypt without making contact with us.”

At this time, NB65 has not received any communications from their victims and told us that they were not expecting any.

As for NB65’s reasons for attacking Russian organizations, we will let them speak for themselves.

“After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias ability to operate normally.  The Russian popular support for Putin’s war crimes is overwhelming.  From the very beginning we made it clear.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, fuck em. 

We will not be hitting any targets outside of Russia.  Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.”

This should be very interesting to watch what happens next, and how Russia responds.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: