Multiple Russian companies have suffered a ransomware (opens in new tab) attack using tools originally built by a Russian threat actor. The attackers claiming responsibility for the attacks say they are doing it as retribution for the invasion of Ukraine.
When Russia first attacked Ukraine almost two months ago, the operators of the Conti ransomware issued a statement saying whoever goes against Russia, or Russian companies, will face their wrath.
Despite quickly taking the statement back (after a major outcry from its contractors, partners and users), a Ukrainian hacker went after the group, and leaked multiple versions of the ransomware.
High-profile victims
The leak enabled other threat actors to build their own versions of the malware (opens in new tab). And now, a group that goes by the name NB65 is using Conti strains to attack Russian targets.
According to a report from BleepingComputer, in the past month, document management operator Tensor, Russian space agency Roscosmos and VGTRK, the state-owned Russian Television and Radio broadcaster, have all been compromised.
After breaching VGTRK, the group stole and leaked 786.2 GB of data, including 900,000 emails and 4,000 files, it was said.
Those that suffer an attack receive this message:
"We're watching very closely. Your President should not have committed war crimes. If you're searching for someone to blame for your current situation look no further than Vladimir Putin.”
> Conti ransomware source code leaked by Ukrainian researcher (opens in new tab)
> Conti ransomware group has internal chats leaked after siding with Russia (opens in new tab)
> Revenge hackers leak more Conti ransomware source code (opens in new tab)
Talking to Bleeping Computer, a representative of NB65 said the encryptor was based on the first Conti source code leak, but was modified for each victim to render known decryptors useless.
"It's been modified in a way that all versions of Conti's decryptor won't work. Each deployment generates a randomized key based off of a couple variables that we change for each target," NB65 told BleepingComputer. "There's really no way to decrypt without making contact with us."
NB65 says none of its victims have been in contact.
- Keep your organization safe from ransomware attackers with the best firewalls out there (opens in new tab)
Via BleepingComputer (opens in new tab)