Ransomware - NB65

NB65
Aliases
Network Battalion 65
ContiStolen
Decryptor Available
Yes
Description

NB65, or Network Battalion 65, is a self-proclaimed cybergroup from Ukraine that made its motivations known on Twitter when it pledged support for Ukraine after Russia invaded in February 2022. At first, it was believed that the group was destroying systems and defacing the websites of Russian organizations after making several posts showcasing their attacks. It wasn't until a ransomware researcher named Amigo-A submitted the official NB65 ransomware to his digest that we learned that NB65 wasn't just a cybergroup attacking Ukraine but also utilizing ransomware to do so. Based on the victims posted to their Twitter page (@xxNB65), the group has at least 20 victims, all within Russia.

For the ransomware itself, the WatchGuard Threat Lab was able to find two samples. One was explicitly targeted at the organization it attacked based on the ransom note it dropped. The other was a general ransom note with no known target in the ransom note. You can see both of those below. The ransomware is a modified version of the second iteration of Conti (Conti v2), which ironically was created by Russian threat actors and was leaked by a Ukrainian hacker, possibly from NB65. NB65 changed the code so the decryptor wouldn't work on it, resulting in an alleged 66% code similarity based on Intezer analysis. Even though the code is altered, the encryption type is the same - ChaCha20 with an RSA-4096 encryption key for each file.

The group gives victims seven days to send funds, or they won't decrypt files. However, the group claims that they aren't seeking ransoms, and if they were to receive one, it would be donated to Ukraine. As such, we would consider the actions of NB65 as those of hacktivists. The group was active from late February 2022 to early August 2022. After this, several variants of NB65 began to pop up, such as MEOW! and PUTIN, among others.

Ransomware Type
Crypto-Ransomware
Data Broker
Wiper
Country of Origin
Ukraine
First Seen
Last Seen
Threat Actors
Type
Actor
Cybergroup
NB65
Extortion Types
Direct Extortion
Double Extortion
Extortion Timeout
Free Data Leaks
Communication
Moyen
Identifiant
Twitter | X
Encryption
Type
Hybrid
Files
ChaCha20
Key
RSA-4096
File Extension
<file name>.NB65
Ransom Note Name
R3ADM3,txt
Samples (SHA-256)
11d38fc2809b220232a8298c5d459a7e0cbb6fa9835d57cd545568877bf8f608
7f6dbd9fa0cb7ba2487464c824b6d7e16ace9d4cd15e4452df4c9a9fd6bd1907
Industry Sector Pays Extortion Date Amount (USD)
EducationRussia
TelecommunicationsRussia
EnergyRussia
Aerospace & AviationRussia
EducationRussia
Construction & ArchitectureRussia
Information TechnologyRussia
Information TechnologyRussia
Construction & ArchitectureRussia
Information TechnologyRussia
Media & MarketingRussia
Professional ServicesRussia
Construction & ArchitectureRussia
HospitalityRussia
Banking & FinanceRussia
Information TechnologyRussia
Banking & FinanceRussia
Information TechnologyRussia
TelecommunicationsRussia
ManufacturingRussia
References & Publications