A hacker group known as NB65 has been targeting Russian companies and organizations using ransomware based on Conti’s ransomware source code leaked in February by a Ukrainian security researcher after the ransomware gang pledged their support to the Russian government on the invasion of Ukraine.

The NB65 group has claimed to have breached several Russian entities over the past month, including document management operator Tensor, Russian space agency Roscosmos, and VGTRK, the state-owned Russian Television and Radio broadcaster. In the latter incident the group allegedly stole 786.2 GB of data, including 900,000 emails and 4,000 files, which then were published on the DDoS Secrets website.

However, since the end of March, NB65 has started targeting Russian organizations with a ransomware variant created using Conti’s leaked source code. The malware sample was spotted by security researchers after it was uploaded to VirusTotal on April 8.

As an analysis has shown, when encrypting files, NB65's ransomware adds the NB65 extension to the encrypted file's names and creates a ransom note stating that “your President should not have committed war crimes. If you’re searching someone to blame for your current situation, look no further than Vladimir Putin.” The gang has also added that they have modified the code in a way that made it impossible to decrypt the encrypting files using the Conti’s decryptor.

In a statement to Bleeping Computer NB65 said that they will stop attacking Russian organizations after Russia will end the ongoing war in Ukraine.

“After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russia's ability to operate normally. The Russian popular support for Putin's war crimes is overwhelming. From the very beginning we made it clear. We're supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies,” the group said.

“Until then, fuck em.

We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)... We figured it was time for them to deal with that themselves.”

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!