Conti ransomware offshoot targets Russian organizations

Thanks to the Threat Intelligence team for their help with this article.

Conti, the infamous ransomware created by a group of Russian and Eastern European cybercriminals, has again made headlines after a hacking group used its leaked source code to create another variant of the ransomware and target Russian businesses.

The hacking group calls itself Network Battalion ’65 (@xxNB65), and it is highly motivated by Russia’s invasion of Ukraine.

NB65 has been breaching Russian entities and stealing and leaking their data online. Some of its targets include Continent Express (travel management company), Roscosmos (Russian space agency), Tensor (document management operator), Ufa Scientific Center of the Russian Academy of Science (part of a network of scientific research institutes), and VGTRK (state-owned TV and radio broadcaster). Expect the number of its victim organizations to increase, as the group says it won’t be stopping until the war stops.

NB65’s ransomware, composed of 66 percent of Conti’s code, behaves the same way as the original Conti variant but with slight yet noticeable changes. Last week, a sample was submitted to VirusTotal, allowing cybersecurity researchers to study it.

How it works

Once executed, this ransomware appends the.NB65 extension to encrypted files.

The ransomware creates the ransom note, R3ADM3.txt, a known IOC file of Conti. However, the note’s content has been changed to reflect NB65’s message to victim organizations: Blame Russian President Vladimir Putin for the cyberattack.

“By now it’s probably painfully apparent that your environment has been infected with ransomware. You can thank Conti for that.

We’ve modified the code in a way that will prevent you from decrypting it with their decryptors.

We’ve exfiltrated a significant amount of data including private emails, financial information, contacts, etc.

Now, if you wish to contact us in order to save your files from permanent encryption you can do so by emailing network_battalion_0065@{redacted}.

You have 3 days to establish contact. Failing to do so will result in that data remaining permanently encrypted.

While we have very little sympathy for the situation you find yourselves in right now, we will honor our agreement to restore your files across the affected environment once contact is established and payment is made. Until that time we will take no action. Be aware that we have compromised your entire network.

We’re watching you closely. Your President should not have commited war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.“

NB65’s ransom note contains details of what the group did to prevent victims from decrypting their files using Conti decryptors. There is also a contact email for victims to who want their files decrypted by the group. However, speaking to BleepingComputer, an NB65 representative said they don’t expect victims to reach out.

When BleepingComputer pressed for reasons for attacking Russian organizations, NB65 has this to say:

After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias[sic] ability to operate normally. The Russian popular support for Putin’s war crimes is overwhelming. From the very beginning we made it clear. We’re supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, **** em.

We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.

Malwarebytes users are protected from this ransomware, and we detect NB65’s variant as Ransom.Conti.

The post Conti ransomware offshoot targets Russian organizations appeared first on Malwarebytes Labs.