Leaked Conti ransomware used to attack Russian targets

Ransomware
(Image credit: Shutterstock)

Multiple Russian companies have suffered a ransomware attack using tools originally built by a Russian threat actor. The attackers claiming responsibility for the attacks say they are doing it as retribution for the invasion of Ukraine.

When Russia first attacked Ukraine almost two months ago, the operators of the Conti ransomware issued a statement saying whoever goes against Russia, or Russian companies, will face their wrath. 

Despite quickly taking the statement back (after a major outcry from its contractors, partners and users), a Ukrainian hacker went after the group, and leaked multiple versions of the ransomware.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> <a href="https://project.tolunastart.com/s/Cy37RiA" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

High-profile victims

The leak enabled other threat actors to build their own versions of the malware. And now, a group that goes by the name NB65 is using Conti strains to attack Russian targets.

According to a report from BleepingComputer, in the past month, document management operator Tensor, Russian space agency Roscosmos and VGTRK, the state-owned Russian Television and Radio broadcaster, have all been compromised.

After breaching VGTRK, the group stole and leaked 786.2 GB of data, including 900,000 emails and 4,000 files, it was said.

Those that suffer an attack receive this message:

"We're watching very closely. Your President should not have committed war crimes. If you're searching for someone to blame for your current situation look no further than Vladimir Putin.”

Talking to Bleeping Computer, a representative of NB65 said the encryptor was based on the first Conti source code leak, but was modified for each victim to render known decryptors useless.

"It's been modified in a way that all versions of Conti's decryptor won't work. Each deployment generates a randomized key based off of a couple variables that we change for each target," NB65 told BleepingComputer. "There's really no way to decrypt without making contact with us."

NB65 says none of its victims have been in contact.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.