Russia’s invasion of Ukraine caused a split amongst threat actors. Before the war in Ukraine, Russian based threat actors operated with impunity if they did not attack organizations in countries within the Commonwealth of Independent States (CIS). That changed after the invasion when the horrors of war forced many hackers to take a stand against Russia, while others supported Russia’s actions. A member of the notorious Conti ransomware gang immediately released a public statement stating the group supported Russia. Days later, a disgruntled alleged member of the group that did not share the same feelings leaked 170,000 internal chat messages from the group, as well as source code. This source code is now being used by a new group to attack Russian based organizations. A new group named NB65 has been using the code to attack organizations, steal their data, and leak it online. NB65 started a Twitter page shortly after the invasion with their first tweets stating “Russia has made a fatal mistake. We are coming. #Ukraine” and “Seems like #anonymous could use a little help against Russia. We stand with #Ukraine.” Recently, the group has started demanding ransoms and leaving ransomware notes on encrypted devices. The note tells the victim that Vladimir Putin is responsible for the current situation they are in. The group claims that existing decryptors for Conti ransomware won’t work on their version as they have modified the leaked source code. The group told reporters that victims cannot decrypt without contacting them, although they do not expect any victim organizations to reach out to them.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is