{ "id": "3d1d9351-4d65-484a-9da9-13c07700a9a5", "created_at": "2026-04-06T00:09:57.943732Z", "updated_at": "2026-04-10T03:25:41.162424Z", "deleted_at": null, "sha1_hash": "1e3ff30cf80ad29e7ee652189102b8b9b3429e82", "title": "Rewterz Threat Alert – Leaked Conti Ransomware Used to Target Russia - Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38283, "plain_text": "Rewterz Threat Alert – Leaked Conti Ransomware Used to Target\r\nRussia - Active IOCs - Rewterz\r\nPublished: 2022-04-11 · Archived: 2026-04-05 19:04:21 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nConti ransomware was discovered in December 2019 and is delivered via TrickBot. It’s been utilized against large\r\ncompanies and government institutions across the world, especially in North America. Conti steals important files\r\nand information from targeted networks and threatens to disseminate it unless the ransom is paid. Conti\r\nransomware enhances performance by utilizing “up to 32 simultaneous encryption operations,” and is very likely\r\ndirectly controlled by its controllers. This ransomware can target network-based resources while ignoring local\r\nfiles. This feature has the noticeable impact of being able to create targeted harm in an environment in a way that\r\nmight hinder incident response actions.\r\nDuring the Russian-Ukrainian cyber warfare, threat groups and hacktivists have taken sides in support of either\r\nparty. Russian originator Conti announced their support for Russia, but shortly after their data was breached and\r\ncode for the ransomware was leaked. Similarly, NB65 group took Ukraine’s side and retaliated with attacks on\r\nVGTRK and the Russian Space Agency ‘Roscosmos’.\r\nThe group has created a unique ransomware from the leaked conti code and changed the ransomware note,\r\nadded .NB65 extension to the encrypted file’s names, and the encryption process was also modified to change the\r\ndecryptor.\r\nImpact\r\nSensitive File Theft\r\nFile Encryption\r\nIndicators of Compromise\r\nDomain Name\r\nthulleultinn[.]club\r\nvaclicinni[.]xyz\r\ntapavi[.]com\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs\r\nPage 1 of 2\n\noxythuler[.]cyou\r\ndictorecovery[.]cyou\r\ncontirecovery[.]best\r\nIP\r\n83[.]97[.]20[.]160\r\n82[.]118[.]21[.]1\r\n68[.]183[.]20[.]194\r\n23[.]82[.]140[.]137\r\nRemediation\r\nBlock the threat indicators at their respective controls.\r\nSearch for IOCs in your environment.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs" ], "report_names": [ "rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs" ], "threat_actors": [ { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434197, "ts_updated_at": 1775791541, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e3ff30cf80ad29e7ee652189102b8b9b3429e82.pdf", "text": "https://archive.orkl.eu/1e3ff30cf80ad29e7ee652189102b8b9b3429e82.txt", "img": "https://archive.orkl.eu/1e3ff30cf80ad29e7ee652189102b8b9b3429e82.jpg" } }