Ransomware-as-a-Service (RaaS) gang Conti has publicly declared its support for the Russian invasion of Ukraine, before quickly withdrawing the statement in the face of a backlash from its partner hacking groups. Conti’s attempt to backtrack came too late however, as thousands of its private chats were leaked online by a Ukrainian researcher. While these political divisions between the gang and its affiliates could weaken it in the short term, it is likely to benefit from greater protection from Russian law enforcement agencies, experts say.
Conti, which is based in Russia and has been behind a string of large-scale ransomware attacks in recent months, including strikes against both the Irish and New Zealand healthcare systems, publicly announced its support of Russia in a post on its website on Saturday. The message threatened “retaliation” against anyone targeting cyber warfare at Russia.
— (@ddd1ms) February 25, 2022
Conti did not retain this public position for long, however, changing its statement hours after the first announcement, saying it does not “ally with any government” and that it “condemns the ongoing war”. Its announcement does still betray animosity towards the West by saying it will “use resources in order to strike back” if the safety of peaceful citizens is endangered by “American cyber aggression.” The gang explains that it will “use full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”
Conti documents leaked online
Redrafting the announcement to avoid siding with Russia did not have the desired effect, however, as yesterday the contents of one of Conti’s servers was leaked online by a Ukrainian security researcher. The server contains tens of thousands of messages from messaging app Jabber sent between members of the Conti gang, exposing ties to another RaaS group LockBit, as well as numerous affiliates.
The implications of Conti’s public support of Russia, and the subsequent leak, has divided security experts. The initial show of support does not bode well for Conti says Xue Yin Peh, senior cyber threat intelligence analyst at security company Digital Shadows. As Conti will probably have Ukrainian affiliates, its announcement is likely to cause “internal divisions among its members,” Peh says. She adds further leaks could follow from disaffected affiliates: “It is not hard to imagine that the political divide can also drive other disheartened affiliates to take similar actions,” she adds.
The revised statement could reflect the “potential threat of operating a cybercriminal group divided by political differences,” Peh continues. Other ransomware gangs like Lockbit have publicly announced their apolitical stance, possibly for the same reasons. Conti was one of the most active ransomware gangs last year, and Peh does not expect its output to be affected by any internal problems, as it can “easily develop or turn to another infrastructure.”
Will Conti's support for Russia help or hinder the gang?
On a geopolitical level, Lior Div, CEO and co-founder of security company Cyber Reason says announcements such as Conti's could be seen as a show of force driven by the Russian government. “Russia is showing us that their cyberattackers are not merely state-tolerated they are state-controlled,” he says. “They are sending a signal to NATO members that they will use cyber retaliation for actions taken against them.”
Andy Norton, European cyber risk officer at security company Armis, agrees that allying with the Russian government will probably make the gang stronger despite losing its Ukrainian affiliates. “I don’t think the group will be weakened by this, their largest exposure is the threat of local law enforcement arresting them," he says. By "showing loyalty” to Russia, the gang will probably receive greater protection from the security forces, Norton adds.