From the Labs: YARA Rule for Detecting NB65

Since the start of Russia’s war on Ukraine, there have been several instances of cyber attacks related to the conflict. There have been direct attacks on Ukrainian entities, such as malware wiper attacks, as well as popular ransomware gangs siding with the Russian government, such as Conti. One group however, about two months into the Russo-Ukrainian war, joined the cyber front, but targeted Russia specifically.

This group, known as NB65, launched a successful campaign discovered in April 2022 that attacked Russian entities by stealing their data and leaking it online. In addition to the successful breaches and public leaking, NB65 made it known that their targeting was a result of Russia’s physical aggression towards Ukraine. The group is active on Twitter, and used the hashtag “#FckPutin” when announcing one of its successful breaches.

While this group is unique in its motivation for targeting Russian entities, the significance of NB65 lies in their source code. The group’s ransomware source code is not original, because it was copied and modified from the leaked source code of another ransomware group: Conti. As we highlighted in our From The Labs: YARA Rule for Detecting Conti, this ransomware group, which was a powerful force in recent years, publicly sided with the Russian government’s actions towards Ukraine. And as retaliation, a member of Conti leaked the group’s internal messages and source code, giving NB65 the opportunity to use the code to its advantage.

In this From the Labs YARA Rules series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment. Here's what you need to know about NB65, and our open source YARA rule for detecting it.

Understanding the modified source code

Researchers were able to analyze a sample of NB65’s modified Conti source code after it was uploaded to VirusTotal. BleepingComputer analyzed the sample, and was able to see strong similarities between both the original and modified code. When the modified code was run through VirusTotal, the sample was flagged as Conti. Also, Intezer Analyze determined that 66% of NB65’s code was the same as Conti’s ransomware sample.

The code samples are not exactly the same, however. NB65 modified the code just enough to give it the group’s stamp. When BleepingComputer ran the NB65 code, it found that all of the encrypted files had an extension of “.NB65.” Once NB65 encrypts a system, the code will also launch a ransomware note named “R3ADM3.txt.” The message blames their attack on Russian President Vladimir Putin for invading Ukraine: “We’re watching very closely. Your President should not have committed war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.”

What’s also significant and unique about NB65 is that their members have spoken to the news media about the group’s activities. For example, one representative of the group told BleepingComputer that they based their encryptor on the first Conti source code leak, but modified it for each victim they targeted, so that existing decryptors wouldn’t work.

Their goal: Hurt Russia’s stability

In a continued conversation NB65 had with BleepingComputer, they revealed their true feelings towards Russia and their motivations for attacking these entities:

From the very beginning we made it clear. We're supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies. Until then, f*ck em.

The group’s statements make it obvious that it is a hacktivist organization, most definitely motivated by Russia’s war on Ukraine. Their actions have also spoken equally as loud as their words.

In the group’s April 2022 campaign, NB65 had successfully breached the following Russian organizations: Tensor, a document management operator, the Russian space agency, as well as VGTRK, the state-owned Russian television broadcaster. Then, in May 2022, it was discovered that NB65 had also successfully breached Qiwi, a Russian payment processing platform, which resulted in the group leaking 7 million payment cards’ data.

The group’s track record of attacks shows that they aren’t afraid to target both state-run and civilian-run organizations. In NB65’s communication with BleepingComputer, they shared that their goal is to target companies that have an “impact on Russia’s ability to operate normally,” meaning that their ultimate motivation is to destabilize the country as much as possible.

NB65 did make it known on their Twitter account that they would not be targeting any organizations outside of Russia, and that any ransomware payments made to them by their victims would be donated to Ukraine.

Detecting Lorenz

While NB65 has made it known that their goal is to hurt Russian organizations specifically, it is important that companies globally protect themselves from any kind of ransomware threat. ReversingLabs’ NB65 YARA rule is designed to detect the group’s modified ransomware within your environment with high fidelity and almost no false-positives.

Download the NB65 YARA Rule here:

Win32.Ransomware.NB65.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.

Open Source YARA Rules from ReversingLabs

ReversingLabs analysts work constantly to respond to new threats and provide customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.