Rewterz Threat Alert – Leaked Conti Ransomware Used to Target Russia – Active IOCs

Severity

High

Analysis Summary

Conti ransomware was discovered in December 2019 and is delivered via TrickBot. It’s been utilized against large companies and government institutions across the world, especially in North America. Conti steals important files and information from targeted networks and threatens to disseminate it unless the ransom is paid. Conti ransomware enhances performance by utilizing “up to 32 simultaneous encryption operations,” and is very likely directly controlled by its controllers. This ransomware can target network-based resources while ignoring local files. This feature has the noticeable impact of being able to create targeted harm in an environment in a way that might hinder incident response actions.

During the Russian-Ukrainian cyber warfare, threat groups and hacktivists have taken sides in support of either party. Russian originator Conti announced their support for Russia, but shortly after their data was breached and code for the ransomware was leaked. Similarly, NB65 group took Ukraine’s side and retaliated with attacks on VGTRK and the Russian Space Agency ‘Roscosmos’.

The group has created a unique ransomware from the leaked conti code and changed the ransomware note, added .NB65 extension to the encrypted file’s names, and the encryption process was also modified to change the decryptor.

Impact

• Sensitive File Theft
• File Encryption

Indicators of Compromise

Domain Name

• thulleultinn[.]club
• vaclicinni[.]xyz
• tapavi[.]com
• oxythuler[.]cyou
• dictorecovery[.]cyou
• contirecovery[.]best

IP

• 83[.]97[.]20[.]160
• 82[.]118[.]21[.]1
• 68[.]183[.]20[.]194
• 23[.]82[.]140[.]137

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.