A ransomware assault was launched against many Russian organizations using tools developed by a Russian threat actor. The assailants who claim responsibility for the assaults said they are carrying out the acts in retaliation for Ukraine’s incursion.
When Russia initially attacked Ukraine over two months ago, the operators of the Conti ransomware made a statement warning that anybody who opposes Russia or Russian enterprises would suffer their wrath.
Despite promptly retracting the statement (following widespread condemnation from its contractors, partners, and users), a Ukrainian hacker went after the group and published various ransomware variants.
Because of the disclosure, additional threat actors could create copies of the virus. A group known as NB65 is leveraging Conti strains to attack Russian sites.
According to BleepingComputer, document management company Tensor, Russian space agency Roscosmos, and state-owned Russian television and radio station VGTRK have all been penetrated in the last month.
According to reports, after hacking VGTRK, the gang took and exposed 786.2 GB of data, including 900,000 emails and 4,000 files.
Those that are attacked receive the following message:
“We’re watching very closely. Your President should not have committed war crimes. If you’re searching for someone to blame for your current situation, look no further than Vladimir Putin.”
An NB65 spokesperson told Bleeping Computer that the encryptor was based on the original Conti source code leak but that it was updated for each victim to render available decryptors unusable.
“It’s been modified in a way that all versions of Conti’s decryptor won’t work. Each deployment generates a randomized key based on a couple of variables that we change for each target,” NB65 told BleepingComputer. “There’s really no way to decrypt without making contact with us.”
According to NB65, none of its victims have made contact.