View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 28, 2022updated 07 Jul 2022 4:51am

Conti’s allegiance to Russia could help the ransomware gang avoid capture

Ransomware gang Conti faced an online backlash after declaring support for Russia's invasion of Ukraine. But the statement could help the gang in the long run.

By Claudia Glover

Ransomware-as-a-Service (RaaS) gang Conti has publicly declared its support for the Russian invasion of Ukraine, before quickly withdrawing the statement in the face of a backlash from its partner hacking groups. Conti’s attempt to backtrack came too late however, as thousands of its private chats were leaked online by a Ukrainian researcher. While these political divisions between the gang and its affiliates could weaken it in the short term, it is likely to benefit from greater protection from Russian law enforcement agencies, experts say.

Conti Russia support

Ransomware gang Conti has apparently backed Russia’s war in Ukraine, which was preceded by a string of cyberattacks. (Photo by Beata Zawrzel/NurPhoto via Getty Images)

Conti, which is based in Russia and has been behind a string of large-scale ransomware attacks in recent months, including strikes against both the Irish and New Zealand healthcare systems, publicly announced its support of Russia in a post on its website on Saturday. The message threatened “retaliation” against anyone targeting cyber warfare at Russia.

Conti did not retain this public position for long, however, changing its statement hours after the first announcement, saying it does not “ally with any government” and that it “condemns the ongoing war”. Its announcement does still betray animosity towards the West by saying it will “use resources in order to strike back” if the safety of peaceful citizens is endangered by “American cyber aggression.” The gang explains that it will “use full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”

Conti documents leaked online

Redrafting the announcement to avoid siding with Russia did not have the desired effect, however, as yesterday the contents of one of Conti’s servers was leaked online by a Ukrainian security researcher. The server contains tens of thousands of messages from messaging app Jabber sent between members of the Conti gang, exposing ties to another RaaS group LockBit, as well as numerous affiliates.

The implications of Conti’s public support of Russia, and the subsequent leak, has divided security experts. The initial show of support does not bode well for Conti says Xue Yin Peh, senior cyber threat intelligence analyst at security company Digital Shadows. As Conti will probably have Ukrainian affiliates, its announcement is likely to cause “internal divisions among its members,” Peh says. She adds further leaks could follow from disaffected affiliates: “It is not hard to imagine that the political divide can also drive other disheartened affiliates to take similar actions,” she adds.

Content from our partners
Why all businesses must democratise data analytics
How start-ups can take the next step towards scaling up
Unlocking the value of artificial intelligence and machine learning

The revised statement could reflect the “potential threat of operating a cybercriminal group divided by political differences,” Peh continues. Other ransomware gangs like Lockbit have publicly announced their apolitical stance, possibly for the same reasons. Conti was one of the most active ransomware gangs last year, and Peh does not expect its output to be affected by any internal problems, as it can “easily develop or turn to another infrastructure.”

Will Conti's support for Russia help or hinder the gang?

On a geopolitical level, Lior Div, CEO and co-founder of security company Cyber Reason says announcements such as Conti's could be seen as a show of force driven by the Russian government. “Russia is showing us that their cyberattackers are not merely state-tolerated they are state-controlled,” he says. “They are sending a signal to NATO members that they will use cyber retaliation for actions taken against them.”

Andy Norton, European cyber risk officer at security company Armis, agrees that allying with the Russian government will probably make the gang stronger despite losing its Ukrainian affiliates. “I don’t think the group will be weakened by this, their largest exposure is the threat of local law enforcement arresting them," he says. By "showing loyalty” to Russia, the gang will probably receive greater protection from the security forces, Norton adds.

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU