Leaked Conti ransomware source codes were used to attack Russian authorities

Conti source codes

In March 2022, the source codes of the Conti malware were made public, and now, apparently, other hackers are starting to use them, turning the ransomware against Russian authorities and companies.

Let me remind you that this story began back in February 2022, when an anonymous information security researcher who had access to the infrastructure of hackers (according to other sources, this was a Ukrainian member of the hack group itself) decided to take revenge on Conti. The fact is that the group announced that, in the light of the “special military operation” in Ukraine, it fully supports the actions of the Russian government.

As a result, all internal hacker chats over the past year were first released to the public (339 JSON files, each of which is a log for a single day), and then another portion of the logs was published (another 148 JSON files containing 107,000 internal grouping messages) and other data related to Conti, including control panel source code, BazarBackdoor API, old ransomware source code, server screenshots, and more. These leaks were followed by another, with more recent sources of the Conti malware.

According to Bleeping Computer, a hack group NB65 has already adapted the Conti sources and is attacking Russian organizations. According to the publication, NB65 has been hacking into Russian organizations for the past month, stealing data and leaking it to the network. At the same time, the hackers claimed that the attacks were connected with a “special operation” in Ukraine.

For example, in March, a hack group claimed that it had already compromised the Tenzor IT company, Roscosmos, and VGTRK. For example, hackers wrote that they had stolen 786.2 GB of data from VGTRK, including 900,000 emails and 4,000 other files, which were eventually published on the DDoS Secrets website.

Now, NB65 has switched to using ransomware, creating its own malware based on the Conti source codes, a sample of which was found on VirusTotal. It turned out that almost all security solutions identify this threat as Conti, but Intezer Analyze calculated that the malware uses only 66% of the same code.

Journalists who have been able to talk to the hackers, report that they created malware based on the first Conti source leak, but modify the malware for each victim so that existing decryptors do not work. Also, representatives of NB65 assured the publication that they support Ukraine and will attack Russian companies, including those owned by private individuals, up to the cessation of all military actions.

We will not attack targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs, have been attacking the West for years with ransomware and conducting supply chain attacks (SolarWinds, defense contractors). We decided it was time for them to experience it for themselves.says NB65.

Let me remind you that we also wrote that the Russian Aviation agency switched to paper documents due to a hacker attack.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.