Hacking group NB65 has been leveraging proprietary ransomware developed using the leaked Conti ransomware source code to launch attacks against Russian organizations amid the ongoing Russian invasion of Ukraine, BleepingComputer reports.
Russian entities, including space agency Roscosmos, document management operator Tensor, and state-owned Russian Television and Radio broadcaster VGTRK, have been targeted by NB65, with the organizations' data stolen and exposed online during the past month. NB65 has claimed to have stolen 786.2GB of data, including 4,000 files and 900,000 emails from VGTRK. However, the group has since pivoted to using the Conti ransomware source code, which has been leaked after Conti had expressed support for Russia. Analysis of NB65's modified Conti executable available in VirusTotal revealed that it shares 66% of the code as usual Conti ransomware samples. BleepingComputer discovered that executing NB65's ransomware will prompt the inclusion of the .NB65 extension on files that have been encrypted, as well as the creation of ransom notes that blame Russian President Vladimir Putin. While the NB65 ransomware encryptor had been based on the initial leak of Conti source code, the group modified it to evade all versions of Conti's decryptor, according to an NB65 representative.