A ransomware group paid the price for backing Russia
As Russia’s invasion of Ukraine enters its fifth day, a coalition led by the US and Europe has mounted a coordinated response focused on financial sanctions and, increasingly, military aid. While the conflict grows in scale and intensity, organizations far beyond the apparatus of military and government are being drawn in — including ransomware groups active in Russia and Ukraine.
That gravitational pull is particularly fraught in Russia, where the borders between hackers and the Russian intelligence services are sometimes porous, and one group in particular has been made to pay for its allegiance to the Putin regime.
On Friday, the notorious ransomware gang Conti surprised many observers by explicitly casting its lot with Putin’s military agenda, declaring “full support” for the Russian government and threatening to mount attacks on critical infrastructure of any adversaries launching cyberattacks against Russia.
Two days later, on February 27th, Conti’s posturing came to backfire spectacularly when an anonymous individual leaked a cache of chat logs from the organization, revealing a huge amount of previously unpublished information about the ransomware group’s internal workings.
The leaked data contains over a year’s worth of chat logs from the open-source instant messaging service Jabber, containing messages between at least 20 chat handles presumed to belong to members of the gang. Among other things, these logs seem to confirm a chain of command linking Conti to Russian intelligence agencies. According to Christo Grozev, executive director of open-source intelligence research group Bellingcat, the chat logs show that members of Conti tried to hack a Bellingcat contributor on the orders of Russia’s main internal security service, the FSB.
Russia has been widely criticized for harboring cybercriminal groups in the past, and with certain exceptions — notably the public takedown of the REvil hacker group by the FSB in January — they are largely allowed to operate with impunity provided they refrain from attacking domestic targets. But while proximity to the Russian government has been an advantage for cybercriminals in the past, there are some signs that the dynamics of the Ukraine invasion are turning it into a liability.
Though the identity of the leaker has not been revealed, Alex Holden, the Ukrainian-born founder of cybersecurity company Hold Security, said that the logs had been leaked by a Ukrainian security researcher who had managed to infiltrate the Conti gang.
“This is a Ukrainian citizen, a legitimate cybersecurity researcher, who is doing this as part of his war against cybercriminals who support the Russian invasion,” Holden said. Further details of the leaker’s identity could not be disclosed without risking his safety, Holden said.
The Record also reports that the chat logs contain Bitcoin addresses where payments made to the Conti gang were received, and messages detailing negotiations between Conti and companies that had not disclosed a ransomware incident.
Bill Demirkapi, a security researcher who published a version of the logs translated into English via Google, confirmed to The Verge that the logs contained details of Conti’s technical infrastructure, logistical operations, discussions of zero-day vulnerabilities, and details about internal tooling. Given the short timeline since the release of the logs, Demirkapi said, it was hard to assess the long-term impact it would have on the group.
Although many of the most prolific ransomware groups are considered to be aligned with Russia, in practice, many of them are transnational entities and include a diversity of ethnicities and nationalities, said Chester Wisniewski, principal research scientist at Sophos. With international opinion overwhelmingly favoring Ukraine, many of them may have decided to steer clear of the conflict rather than declare support for the Russian invasion.
“The polarizing nature of this conflict — which effectively seems to be the whole world versus Russia — means there’s way less [cybercriminal] activity than we expected,” Wisniewski said. “I think there’s a lot of sympathy for Ukraine among members of these different groups, and as a result they’re sitting it out.”
LockBit, another ransomware group and effectively a competitor to Conti, released a statement on Sunday saying that the group would not target Western infrastructure, supposedly due to the international makeup of the organization. Rather than profess any support for Ukraine, the statement declared neutrality in the conflict.
“For us it is just business and we are all apolitical,” the message posted by LockBit said.
Though ransomware gangs (with the exception of Conti) have been reluctant to choose sides, certain hacktivist groups — which are by definition political — have rushed to join the cause. A hacktivist group operating from Belarus has claimed to be disrupting the movement of military units by shutting down railways in the country, after the Belarusian government launched missile strikes against Ukraine and agreed to support Russia by sending troops over the Ukrainian border.
Separately, a Twitter account linked to Anonymous declared that the hacking collective was “officially in cyber war against the Russian government,” and the group claimed responsibility for a number of DDoS attacks and other hacks against Russian government websites and media channels.
Though other groups with offensive hacking capabilities may be tempted to join the conflict, cybersecurity professionals have cautioned against escalation. Regardless of intent, cyberattacks can have unforeseen consequences, particularly if targets are tied to infrastructure or other critical services with applications beyond the military.
“I’m worried about collateral damage from the ‘good guys,’ the vigilantes,” Wisniewski said. “Encouraging people to attack [cyber targets], that to me is a very dangerous situation … it’s not just an innocent activity when you don’t know the side effects.”
As Russia’s invasion of Ukraine enters its fifth day, a coalition led by the US and Europe has mounted a coordinated response focused on financial sanctions and, increasingly, military aid. While the conflict grows in scale and intensity, organizations far beyond the apparatus of military and government are being drawn…
Recent Posts
- DJI Neo review: The best $200 drone ever made
- The best Prime Day deals you can get on some of our favorite gadgets
- Starlink and T-Mobile’s text-by-satellite service is available in Florida
- 20 Best Amazon Prime Day Hair Tool Deals to Shop Right Now (2024)
- How a UK treaty could spell the end of the .io domain
Archives
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- December 2011