Now, a group has taken that source code and developed their own ransomware they are using to target Russian companies and agencies. So far, the group known as NB65 has hit Roscosmos (the Russian space agency), Russian state-owned TV and Radio broadcaster VGTRK, and Tensor (a document management company). Their attacks have been in the form of significant data theft (with 786GB of data stollen from VGTRK alone). NB65 has stated that their attacks are in direct response to the Russian invasion of Ukraine. The data theft and attacks alone as significant, but with the addition of their Conti-based ransomware there is a new twist to the game.

Normally APT groups that operate inside Russian do not target Russian owned or operated assets. They leave these things alone and in turn the Russian government has tended to turn a blind eye to their operations. They might talk a good game about policing them and occasionally they assist in the takedown of a decent sized target (mostly credit card theft), but overall, the gangs tend to operate with impunity.

NB65 felt this was not right. According to a communication they made with BleepingComputer, they stated that it was about time for Russia to feel the impact of ransomware and other attacks. This is the reason they felt the use of Russian organization Conti’s ransomware was apropos. They took the original source code leak and have developed their own version with a twist though. According to information the group shared with BleepingComputer each target has a different encryption. According to what BleepingComputer was told “It's been modified in a way that all versions of Conti's decryptor won't work. Each deployment generates a randomized key based off of a couple variables that we change for each target,”

The change in the encryption does not stop the malware was being identified as belonging to Conti though as a recent sample uploaded to Virus Total shows every anti-malware group identified the NB65 modified version as Conti. The NB65 flavor encrypts the files with a “.nb65” extension and drops a text file that explains they are the ones behind the attack. In the message they are very clear on the reasons the now infected group was targeted, they express no sympathy or remorse for the attack and put the blame for the attack directly on Russian President Vladimir Putin.

We have no doubt that the targeting of Russian organizations and agencies will continue as will internal warfare between threat actor groups. Groups like NB65 will probably ramp up their game as they seek to cause enough havoc inside Russia to either cause Putin to have a change of mind, or for the population to look to change their government. NB65 does not care which as long as the invasion ends. That is their goal and they are very clear on it, to quote the statement they sent BleepingComputer;
“When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.
Until then, fuck em.”