{ "id": "1870a1fb-b119-4058-83ae-94490195d0e5", "created_at": "2026-04-06T00:18:10.956648Z", "updated_at": "2026-04-10T13:11:51.525811Z", "deleted_at": null, "sha1_hash": "7b3aad1dd9f3f140b16231040401d2340cea48ef", "title": "Hackers use Conti's leaked ransomware to attack Russian companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4538581, "plain_text": "Hackers use Conti's leaked ransomware to attack Russian companies\r\nBy Lawrence Abrams\r\nPublished: 2022-04-09 · Archived: 2026-04-05 13:00:42 UTC\r\nA hacking group used the Conti's leaked ransomware source code to create their own ransomware to use in cyberattacks\r\nagainst Russian organizations.\r\nWhile it is common to hear of ransomware attacks targeting companies and encrypting data, we rarely hear about Russian\r\norganizations getting attacked similarly.\r\nThis lack of attacks is due to the general belief by Russian hackers that if they do not attack Russian interests, then the\r\ncountry's law enforcement would turn a blind eye toward attacks on other countries.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, the tables have now turned, with a hacking group known as NB65 now targeting Russian organizations with\r\nransomware attacks.\r\nRansomware targets Russia\r\nFor the past month, a hacking group known as NB65 has been breaching Russian entities, stealing their data, and leaking it\r\nonline, warning that the attacks are due to Russia's invasion of Ukraine.\r\nThe Russian entities claimed to have been attacked by the hacking group include document management operator Tensor,\r\nRussian space agency Roscosmos, and VGTRK, the state-owned  Russian Television and Radio broadcaster.\r\nThe attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, including 900,000\r\nemails and 4,000 files, which were published on the DDoS Secrets website.\r\nMore recently, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware attacks\r\nsince the end of March.\r\nWhat makes this more interesting, is that the hacking group created their ransomware using the leaked source code for the\r\nConti Ransomware operation, which are Russian threat actors who prohibit their members from attacking entities in Russia.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 3 of 7\n\nConti's source code was leaked after they sided with Russia over the attack on Ukraine, and a security researcher leaked\r\n170,000 internal chat messages and source code for their operation.\r\nBleepingComputer first learned of NB65's attacks by threat analyst Tom Malka, but we could not find a ransomware sample,\r\nand the hacking group was not willing to share it.\r\nHowever, this changed yesterday when a sample of the NB65's modified Conti ransomware executable was uploaded\r\nto VirusTotal, allowing us to get a glimpse of how it works.\r\nAlmost all antivirus vendors detect this sample on VirusTotal as Conti, and Intezer Analyze also determined it uses 66% of\r\nthe same code as the usual Conti ransomware samples.\r\nBleepingComputer gave NB65's ransomware a run, and when encrypting files, it will append the .NB65 extension to the\r\nencrypted file's names.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 4 of 7\n\nFiles encrypted by NB65's ransomware\r\nSource: BleepingComputer\r\nThe ransomware will also create ransom notes named R3ADM3.txt throughout the encrypted device, with the threat actors\r\nblaming the cyberattack on President Vladimir Putin for invading Ukraine.\r\n\"We're watching very closely.  Your President should not have commited war crimes. If you're searching for someone to\r\nblame for your current situation look no further than Vladimir Putin,\" reads the NB65 ransomware note displayed below.\r\nRansom note for NB65 ransomware\r\nSource: BleepingComputer\r\nA representative for the NB65 hacking group told BleepingComputer that they based their encryptor on the first Conti\r\nsource code leak but modified it for each victim so that existing decryptors would not work.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 5 of 7\n\n\"It's been modified in a way that all versions of Conti's decryptor won't work. Each deployment generates a randomized key\r\nbased off of a couple variables that we change for each target,\" NB65 told BleepingComputer.\r\n\"There's really no way to decrypt without making contact with us.\"\r\nAt this time, NB65 has not received any communications from their victims and told us that they were not expecting any.\r\nAs for NB65's reasons for attacking Russian organizations, we will let them speak for themselves.\r\n\"After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact\r\non Russias ability to operate normally.  The Russian popular support for Putin's war crimes is overwhelming.\r\n From the very beginning we made it clear.  We're supporting Ukraine.  We will honor our word.  When Russia\r\nceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing\r\nassets and companies.\r\nUntil then, fuck em. \r\nWe will not be hitting any targets outside of Russia.  Groups like Conti and Sandworm, along with other Russian\r\nAPTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense\r\ncontractors)... We figured it was time for them to deal with that themselves.\"\r\nNB65 further stated on Monday that they will never target organizations outside of Russia, and any ransom payments will be\r\ndonated to Ukraine.\r\nUpdate 4/11/22: Added updated about how ransoms would be used\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 6 of 7\n\nSource: https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/" ], "report_names": [ "hackers-use-contis-leaked-ransomware-to-attack-russian-companies" ], "threat_actors": [ { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434690, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b3aad1dd9f3f140b16231040401d2340cea48ef.pdf", "text": "https://archive.orkl.eu/7b3aad1dd9f3f140b16231040401d2340cea48ef.txt", "img": "https://archive.orkl.eu/7b3aad1dd9f3f140b16231040401d2340cea48ef.jpg" } }