Conti ransomware gang backs Russia, vows retaliation for ‘war activities’ against Moscow

Two ransomware groups have endorsed Russia’s attack on Ukraine, with one promising to retaliate against any nation that takes action against Moscow.

According to Brett Callow, a Canadian-based threat analyst for Emsisoft, the Conti gang made the retaliation statement on its data leak site, used to show proof of hacks and data thefts.

“The Conti Team is officially announcing a full support of Russian government,” the statement says. “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all of our possible resources to strike back at the critical infrastructure of an enemy.”

In addition, Callow said, the CoomingProject gang issued this statement: “Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia.”

UPDATE: According to the Bleeping Computer news site, Conti has changed its online message, saying that they “do not ally with any government and we condemn the ongoing war” but will respond to Western cyber aggression on Russian critical infrastructure.

Conti has been known for bold words. When U.S. government authorities went after the REvil ransomware gang, Conti protested against the “unilateral, extraterritorial and bandit mugging behaviour of the United States in world affairs.” and complained about the “Neo-fascist alliance between the US and EU kleptocracies.”

The promise of retaliation isn’t surprising, Callow told ITWorldCanada. Conti is likely a splinter of a Russian-based group some security analysts call Wizard Spider, he said. It is believed that gang is also behind Ryuk strain of ransomware and the Trickbot malware.

The statements come as security researchers warn Russian-based threat actors — possibly endorsed by Moscow — could strike back at countries that impose economic sanctions for the attack on Ukraine.

According to a background paper released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as of last fall, Conti ransomware had been seen in more than 400 attacks on U.S. and international organizations.

While Conti is considered a ransomware-as-a-service (RaaS) model variant, the report says, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than the percentage of the proceeds used by affiliate cyber actors, and receives a share of the proceeds from a successful attack.

In its profile, Emsisoft said after an initial infection Conti operators take a hands-on approach rather than using an automated attack. The strain features command line capabilities that enable operators monitoring the hacked network to directly control, spread and execute the ransomware. This functionality gives attackers the unique ability to selectively choose to encrypt local files, network shares, and/or specific IP addresses, the report says. 

Prior to encryption Conti prepares the compromised system by deleting Windows Volume Shadow Copies and disabling 146 Windows services related to backup, security, database and email solutions, it adds.

Conti was first detected in December 2019, says Emsisoft. There was a handful of isolated Conti incidents over the next few months, with activity increasing significantly in mid-June 2020.

In August 2020, the Conti group launched a leak site (on both the dark web and surface web) where it publishes the stolen data of non-paying victims, Emsisoft says. The threat of being publicly named and having sensitive data exposed puts additional pressure on victims to pay the ransom. 

Threat researchers at Swiss-based ProDaft also released a report on Conti, saying the gang “has shown itself to be a particularly ruthless group, indiscriminately targeting hospitals, emergency service providers, and police dispatchers.”

“Conti also earned a reputation for not delivering decryption keys even after victims pay,” it adds.

According to the news site The Record, other hacking groups on Russia’s side are groups known to security researchers as Sandworm, The Red Bandits and UNC 1151.

The Record also says the hacktivist group Anonymous on Ukraine’s side, quoting it as saying it is “officially in a cyber war against the Russian government.” The site says Anonymous has tweeted that it targeted Russian-state controlled international television network RT, and “has taken down the website of the #Russian propaganda station RT News.”

Meanwhile Reuters reports that the government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops

Regardless of the threat of a specific gang or actor, this is a time when companies need to be very proactive of their security, commented Purandar Das, CEO of Sotero. Criminals are opportunistic and will look to take advantage of any confusion and chaos to strike, he said. The targets, countries in this case, aren’t necessarily concerned about threats from a criminal gang.

As for the statement from ransomware gangs, he called it “a bit of posturing and coming out in support of your sponsor.” Threatening the U.S. and/or law enforcement agencies is usually not a good idea, he added. “They tend to have long arms and longer memories.”

Karen Walsh, CEO of Allegro Solutions, warned any ransomware attacks perpetrated by cyber threat actors acting “on behalf of” Russia may kill cyber liability insurance.
In November, Lloyd’s Market Association published updates to their cyber liability policies that specifically address the war exclusion, she said. Notably, these changes mentioned cyber operations carried out in the course of war. As part of risk mitigation, companies should begin reviewing their cyber liability insurance exclusions and make sure that they question their carriers about their position on this issue, she said.

(This story has been updated from the original to add comments from Karen Walsh and Purander Das, as well as citations from The Record, Bleeping Computer and Reuters)

Brett Callow is Howard Solomon’s guest analyst on today’s Cyber Security Today Week in Review podcast, where he talks about trends in ransomware.