Just when you think ransomware criminals have exhausted their box of surprises, up pops something brand new nobody saw coming.
The latest example, first reported by Bleeping Computer, is a disarmingly simple innovation—target organizations inside Russia for extortion attacks.
According to the website, since late March a new group called NB65 claims it has attacked several entities in the country, including tech company Tensor, state-owned TV and radio company VGTRK, and the Russian space agency, Roscosmos.
This included the apparent theft of “786.2 GB of data, including 900,000 emails and 4,000 files, which were published on the DDoS Secrets website,” said Bleeping Computer.
Given how common ransomware is, targeting Russians might not sound like a big deal, but it breaks the mold. Reports of ransomware attacks on Russian organizations traditionally are but a tiny fraction compared to those targeting organizations outside those boundaries.
Back in the USSR
A large proportion of successful ransomware is coded in Russia, by Russian speakers. When they launch attacks, however, they aim outward, at non-Russian targets. It’s been estimated that in 2021, 74% of the ransoms paid during attacks went to threat groups based in Russia.
Meanwhile, a separate analysis by Chainalysis found that 90% of the ransom money paid out after 2020 involved malware that had been specifically coded to avoid infecting Russian-speaking organizations.
And when researchers pick apart Ransomware, they often find Russian language buried in its inner recesses.
It’s far from the case that all ransomware crooks are Russian, but there’s no doubt that a disproportionate number of the most active groups hail from countries inside Russia’s orbit.
All this makes it doubly ironic that the new attacks on Russian targets by NB65 were based on the hugely successful Conti ransomware, coded in Russia by the threat group of the same name. Adding to the Russian theme, that group is also alleged to have unconfirmed connections to Russian intelligence, which if true would make the NB65 attacks politically symbolic.
This happened after the source code and lots of internal chats between Conti group members were leaked in highly unusual circumstances a few weeks back by a self-styled “boring security researcher,” angered at Russia’s invasion of Ukraine.
That same code is now being re-purposed for new attacks, including on organizations in Russia. So, it seems the hack not only damaged a major Russian ransomware group’s operation, but turned its own malware created to attack foreigners back on the mother country.
This is the downside of any potent malware, including cyberweapons—if it leaks (and it probably will), it can come back on its makers with a vengeance. The U.S. knows all about this issue, having lost control of the powerful EternalBlue tool, built by the NSA but later leaked and re-used to target U.S. organizations, including by the Russians. No country is immune from this phenomenon. If ransomware attacks have been the exception in Russia, it’s hard not to think that this era is coming to an end. We are all in this together.