NB65 group attacks Russia with the modified Conti ransomware

NB65 group attacks Russia with the modified Conti ransomware
NB65, NB65 ransomware, Conti ransomware, NB65 Hackers, Cyberattack, Russia
Written by Wilbur Woodham

An infamous NB65 hacker group, which appeared after the 2022 Russian invasion in Ukraine as a joint force of Anonymous, attacks Russian companies with Conti ransomware. Russian Space Company (a.k.a. Roskosmos) and All-Russia State Television and Radio Company (a.k.a VGTRK) are under attack.

NB65 uses modified Conti ransomware

3 weeks ago, the source code of Conti ransomware was leaked to the public. It appeared on several Darknet forums and therefore was shared in tens and hundreds of cybersecurity communities. Besides being a very interesting piece of code to analyse, Conti source code appeared to be the launchpad for the hackers’ activity. It is not the first ransomware whose source code becomes a public domain, but it is surely the most perfect one. At least their financial success is obvious – they stole over $25 million in the last quarter of 2021.

The irony is also that Conti ransomware is considered to be a Russian ransomware group. One may say, bear fans are now attacked with their own weapon. After its appearance in 2020, it attacked companies around the world, diligently ignoring Russia and some other ex-USSR countries. Cybersecurity analysts know it for being technically advanced: it uses up to 32 CPU threads during the encryption process and tries to block all typical recovery options. But now, this knife seems to have hit their own computers.

Attacks of NB65 group against Russia

Ransomware injection is not the first activity of this group. NB65 (Network Battalion 65) call themselves a “hacker group” not just because they want to. They commenced several attacks on Russian regional companies before applying the Conti ransomware source code to work for their needs. NB65 hackers were breaking into the systems of Gazregion LLC, Kremlin CCTV, Mosexpertiza, and half a dozen of other Russian companies. They are not just spreading ransomware – they do whatever the “hacking” term means.

Cybersecurity analysts were right when they said that the Third World War will also be on the Internet. The scale of DDoS attacks, hacking operations, malicious spam and God knows what else became tremendous since 02/24. Volunteer hackers from all over the world started their own, invisible warfare against the aggressor. That did not lead to serious physical damage but definitely made life more difficult. Constantly unavailable sites due to the DDoS attacks, switching the document flow to the paper form – all these things work against Russia.

NB65 message

The message about the NB65 attack

Difference between Conti and NB65 ransomware

The NB65 group refined the Conti group’s brainchild before using it against Russian companies. First thing that comes into view is the extension that appears after the encryption. From the “classic” extension – .conti, they switched to .NB65 – just to identify themselves. In my opinion, it could be even better to keep the original Conti extension, at least in some cases – just to confuse the analysts who will investigate this attack. Besides the extension, they also deliver a completely different ransom note.

Ransom note NB65

Ransom note of NB65 ransomware

However, the main difference hides under the hood. Hackers from NB65 managed to modify the encryption mechanism in order to prevent the decryption with a regular Conti tool. That action is not very hard, but effective. It is pretty hard to reverse engineer the compiled variant of ransomware to see the ciphering mechanism and create the decryption tool. I think, NB65 may apply some other ransomware variants with open-source development – like HiddenTear, for example.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
NB65 group attacks Russia with the modified Conti ransomware
NB65 group attacks Russia with the modified Conti ransomware
NB65 hacker group used the leaked Conti ransomware code in order to attack the Russian governmental companies. That is pretty interesting due to the Russian origins of the Conti group.

About the author

Wilbur Woodham

I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

Leave a Reply