Ransomware - PUTIN

PUTIN
Aliases
Putin Team
KREMLIN
RUSSIA
Decryptor Available
Yes
Description

PUTIN, or Putin Team, is an NB65 (Conti v2) derivative that one would believe would be of Russian origin and, thus, likely attack targets outside of Russia. However, the operators behind this ransomware perform the opposite action and are known to have attacked two organizations, both in Russia. One was a dentistry and the other was a distribution and logistics company. These were posted on their Telegram page, of which they had two - one to negotiate extortions and the other to publish double extortions. Interestingly, these two companies were directly named in ransom notes. However, the other four samples we located only state a unique victim ID. This appears to be a preference of the operators, as the payloads were similar aside from that.

This ransomware is practically the same as MEOW! (MeowCorp) and is only inserted as a separate entry because of the subtle differences in theme (Russia), ransom note, and extortion tactics. MEOW! had listed several emails and Telegram accounts. However, the group behind this ransomware is the same as MEOW! and calls themselves NB65 (Network Battalion 65), a cybergroup from Ukraine. NB65, and Anti-Russian Extortion Group, which could be the same operators, began attacking Russian companies in response to the war in Ukraine. Hence, the Russian theme. They aren't Russian; they exclusively attack Russia.

Like Conti v2 (NB65), the ransomware encrypts files using ChaCha20 and RSA-4096. However, the file extension used on encrypted files is <file name>.PUTIN. Hence the ransomware name - PUTIN. However, there were at least two other variations of the PUTIN naming convention as the '.KREMLIN' and '.RUSSIA' file extensions were also discussed on Kaspersky forums by victims of this ransomware. The last known discussion of the PUTIN ransomware was in February 2023, when the threat actors declared they were seizing operations and subsequently released decryption keys for victims. However, since the Conti v2 encryptor leaked, it's likely we will see other variants bearing different names but with similar payloads.

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Lineage
NB65
Threat Actors
Type
Actor
Cybergroup
Anti-Russian Extortion Group
Extortion Links
Medium
Link
Telegram
@PutinInformation
Extortion Types
Direct Extortion
Double Extortion
Communication
Medium
Identifier
Telegram
@PutinRestore
Telegram
@KremlinRestore
Telegram
@RussiaRestore
Encryption
Type
Hybrid
Files
ChaCha20
Key
RSA-4096
File Extension
<file name>.PUTIN
<file name>.KREMLIN
<file name>.RUSSIA
Ransom Note Name
readme.txt
README.txt
Ransom Note Image
PUTIN-RansomNote-5a936
Click to enlarge
 PUTIN-RansomNote-7f624
Click to enlarge
 PUTIN-RansomNote-80394
Click to enlarge
 PUTIN-RansomNote-7d1cc-CENSORED
Click to enlarge
 PUTIN-RansomNote-62f9c-CENSORED
Click to enlarge
5a936250411bf5709a888db54680c131e9c0f40ff4ff04db4aeda5443481922f
62f9c48b218c4cdb08ed76729539a8b6a6aaf2a558d80b441e7e79e4074d622c
7d1ccac64445547908dc1678479919c9bd063bceac5d214857d2758828f1c60b
7f624cfb74685effcb325206b428db2be8ac6cce7b72b3edebbe8e310a645099
80394d4c8680cda921b4fdd63441a8cfdca25eb2ad082149d582bbb5619b0155
fe311979cd099677b1fd7c5b2008aed000f0e38d58eb3bfd30d04444476416f9
Known Victims
Industry Sector Country Extortion Date Amount (USD)
Healthcare & Medicine Russia
Distribution & Logistics Russia
Decryptors
Kaspersky: RakhniDecryptor
Kaspersky Club Forum [RU]: Files with the "PUTIN" extension
Kaspersky Club Forum [RU]: Shifrovalshhik .RUSSIA
Cyble: New Ransomware Strains Emerging from Leaked Conti’s Source Code
Fortinet: Ransomware Roundup – Monti, BlackHunt, and Putin Ransomware
SafeZone Forums: Encrypted files on a computer with WinXP and a network drive (.KREMLIN)
The Crypto-Ransomware Digest: Meow
Ransomware Tracker