Ukraine war
The tables are turned: ransomware from the pro-Russian hacker group “Conti” is used as a weapon against companies in Russia
Since the beginning of the war, the decentralized hacker collective “Anonymous” has been trying to weaken Russia’s IT. The group “NB65” uses Russia’s own tools for this.
© Torsten Sukrow / Picture Alliance
Because the hacker group “Conti” had sided with Russia, other hackers stole their most important tool. This is now fatal for Russian companies.
At the beginning of March, the notorious “Conti” ransomware gang lost its most important tools. After the digital blackmailers sided with the attackers at the beginning of the Russian invasion of Ukraine, an unknown IT expert emptied their treasury. Chats, access to servers, lists of future destinations and even addresses of bitcoin wallets became public. Most recently, the most important tool of the pro-Russian group was put online – the source code of the latest blackmail trojan, which is the main business of “Conti”.
+++ Also read: A notorious hacker group was fully behind Russia’s attack – and should regret it +++
The hackers use this software to encrypt their victims’ data and systems and then demand large sums of money to reverse the attack. In the USA, this has already led to incapacitated clinics in the past, and in Ireland the Ministry of Health lost control of its IT infrastructure for days.
Beaten with their own weapons
The publication of the source code not only helped investigating authorities to better understand the group’s attacks on defenseless victims worldwide and to help repair the damage caused, but is now also the fatality of those on whose side “Conti” had sided. As Bleeping Computer reports, the so-called “Network Battalion 65” (NB65) is using a modified form of the “Conti” ransomware against Russian companies for the first time.
The Russian logistics company Continent Express, the pipeline operator Ssk Gazregion OOO and the state-owned company Mosexpertiza were among the first victims. The intentions behind the attacks are not always identical. Sometimes the victims were simply informed that the attack had taken place and the data would be lost until the Russian troops retreated, sometimes they offered to release the encrypted loot in return for payment of an unknown amount.
+++ Also read: “Putin cannot simply be cybered away” – Why a hacker considers the Anonymous attacks to be dangerous +++
On the other hand, there is a uniform indication that these are originally Russian blackmail viruses. The letters also contain clear criticism of the Russian government and its President Putin. In the most recent letter to “Continent Express” CEO Stanislav Kostyaschkin, “NB65” refers directly to the massacres in Bucha and states: “Civilian companies are now the focus. The Russian population, no matter how much they are influenced by Russian propaganda, shows alarming support for such useless violence and destruction. As long as military aggression in Ukraine does not end, we will raid every network we can find.”
Attacks apply exclusively to Russia
In a message on Twitter, “NB65” reveals that they plan to donate any ransom money to aid organizations. The group did not go into the exact amount of the claims there either. The hackers explain their motivation to Bleeping Computer: “After Bucha, we decided to target certain companies that, although civilian-owned, still have an impact on Russia’s ability to operate normally. The support of the Russian Public support for Putin’s war crimes is overwhelming. We made that clear from the start. We support Ukraine.”
Companies outside of Russia probably have nothing to fear from the new blackmail virus. It continues: “We will not attack targets outside of Russia. Groups like Conti and Sandworm, as well as other Russian threats, have plagued the West with ransomware and supply chain attacks for years. We thought it was about time to turn the tables.”
The use of ransomware against their own systems is indeed unusual for Russian companies. Because most of the hacker groups that use blackmail viruses are believed to come from Russia, there have never been any major attacks on companies and corporations in their own country. Experts have been pointing out for years that this may be a result of agreements with the Russian government not to bother compatriots.
Such an arrangement is also indicated by the fact that in the past there have only been a few arrests of Russians who were associated with participation in the work of such a group. A notable exception is the arrest of suspected members of the hacker group REvil, which was dismantled in Russia at the request of the United States in mid-January 2022.
At the time, experts like Dmitri Alperovich suspected that a political message from the Kremlin was behind it. Putin wanted to demonstrate that attacks and hacks by ransomware gangs can be stopped if the West deserves it.
source: Bleeding computer, Twitter, TRT World