Ransomware, Governance, Risk and Compliance

After Conti backs war, ransomware gangs realize peril of patriotism amid infighting

Georgians rally in support of Ukraine held in front of the Parliament demanding that Russian President Putin ends the war. Ransomware gangs have retaliated against the Russia-based Conti group after threatening attacks to Western countries that target Russia. (Photo by Daro Sulakauri/Getty Images)

Late last week, Russia-based ransomware gang Conti announced it would "use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian speaking region of the world." It did not take into account one key aspect of its full capacity: many of its affiliates are pro-Ukraine.

Over the weekend, one affiliate leaked internal chats from Conti's Jabber server, retaliating against the group for threatening retaliation.

LockBit, a Conti competitor, released its own statement Sunday saying it would not be targeting Western infrastructure.

"Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers developers [sic] live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings," the group wrote on its leaks site. "For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work," wrote LockBit in a message translated into eight different languages.

"We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts," the group later added.

While often portrayed as an industry composed of a handful of Russian groups, ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians.

Like in any business, there is peril in angering the consumer.

"Even if your core group was located in Russia, you can't just unilaterally say we support Russia and we're going to go after sensitive U.S. targets. You're going to have a whole bunch of people who are part of your bottom line that are going to get pissed off with that," said Allan Liska, a ransomware expert with Recorded Future.

One of the major fears going into a conflict pitting the West against Russia was that Russia would weaponize its domestic ransomware groups, either directly or indirectly.

In the months before the invasion, Russia began a very public push to arrest cybercriminals. Western analysts never assumed it was a whole-hearted effort, thinking it was more likely either intended as a minimal effort to pacify the West after a year of harsh cyberattacks or a way to demonstrate how useful Russia could be to Western governments if they would sit out the Russia/Ukraine conflict.

Russia has had a long history of tacit understanding with criminal groups that if they did not attack Russia or its allies, they would not be a priority of law enforcement. The arrests were never on a scale to make a dent in the local criminal economy. But they might have been just large enough to inspire ransomware groups to try to demonstrate to the government why the government should back off.

There was also the opportunity for a more directed use of ransomware as a way to needle the West. Russia disguised its NotPetya wiper malware as ransomware in 2017, and the United States government has sanctioned one ransomware group for ties to the Russian government.

"I fully expected this to be a big concern we'd have going forward. But as of right now, we aren't seeing the kind of stepped-up ransomware attacks that I would expect to see if Russia had weaponized these ransomware groups," said Liska.

The reason may come down to the internal "disfunction" of the groups, said Liska, with the largest groups not being centralized enough to direct affiliates to attack targets that either take sides in the conflict or add the undue risk of global law enforcement crackdown.

It is unclear, said Liska, if Conti's intent was patriotism in the first place. Conti, he said, was known for attention-seeking announcements to draw in new affiliates and raise its global profile.

"If it was meant as a patriotic movement, obviously it backfired," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.