Civilian building damaged following a Russian rocket attack on the city of Kyiv, Ukraine showing Conti ransomware support of Russian government

As Ukraine War Rages, Conti Ransomware Gang Throws Support Behind Russian Government

The Russian government has largely turned a blind eye to the ransomware and cybercrime gangs based there so long as they do not interfere with national interests. At least one of these, the Conti ransomware group, apparently feels compelled to return the favor as neighboring Ukraine is invaded.

The Conti ransomware gang, also previously known as Wizard Spider, became one of the more prominent in the cyber crime world starting in 2020 with a series of attacks on medical facilities and law enforcement agencies. They were the first of the major gangs to exploit the Log4J vulnerability to deliver a ransomware attack, and prior to that had victimized Ireland’s Health Service Executive (among other targets that reportedly earned the group over $25 million in payments in 2021). Conti has pledged to respond to any cyber attacks on the Russian government or the country’s critical infrastructure.

Conti ransomware group jumps into the Russia-Ukraine conflict

The Conti ransomware gang used its dark web site, also used as a payment portal for victims and to dox those that don’t pay with “double extortion” postings of private documents, to announce its support for the Russian government and intention to retaliate. The United States government is apparently taking the threat seriously as it has issued a general warning to organizations in the country to be prepared for a potential response.

The association once again highlights the possible connection between the Russian government and the (seemingly) independent criminal groups that operate within its borders. The Russian approach to these groups has generally been to ignore them so long as they do not go after domestic targets or allies; many ransomware families have a setting to automatically self-terminate if they land on a machine that uses Cyrillic language settings. The Conti ransomware gang’s sudden voluntary burst of patriotism raises the question of whether ties are closer than previously thought, or if the group is simply engaging in some sort of self-promotion.

Conti is a ransomware-as-a-service group with numerous clients, apparently favored by ruthless operators that have no qualms about going after hospitals and emergency dispatch services. The ransomware has a particular focus on Windows systems, taking advantage of known vulnerabilities in Microsoft Exchange’s Proxyshell to breach networks.

For its part, Conti claims that it is not associated with the Russian government but that it will respond with its “full capacity” to Western attacks that take place anywhere in the Russian-speaking regions of the world (barring, one would assume, the relevant portions of Ukraine). Surprisingly, the criminal group also condemned the war but postured as a protector of peaceful citizens of Russia.

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, expanded on the exact level of risk that this group presents:

“Digital Shadows identified Conti as the second most active ransomware group in 2021 by number of victims and has attributed several attacks against critical national infrastructure to the group; this includes the attacks on the health care sector within Ireland and the United States. Other sectors consistently targeted by Conti include industrials goods and services. Conti’s activities have also recently been bolstered by hiring the developers of the infamous Trickbot trojan, which has also enabled them to control the development of another malware, the BazarBackdoor, which the group now use as their primary initial access tool. Conti consistently redefine and develop their working processes and should be considered a resourceful and sophisticated adversary.”

Russian government shows early restraint with cyber activities

All of this comes as Russia has shown surprisingly little interest in using cyber attacks as part of its invasion, instead appearing to sprint for the capital city of Kyiv with its conventional military forces in an apparent bid to quickly force a surrender. The invading country appears to be assiduously avoiding civilian casualties in a likely bid to keep other nations from getting involved, which may be why it is also largely refraining from cyber attacks on critical infrastructure.

It could also be a matter of outsourcing these attacks to the country’s criminals, however, such as the Conti ransomware gang. The Ukraine government seems to believe that cyber war is imminent, as it put out a call on Thursday for volunteer hackers to help defend its infrastructure and gather intelligence on Russian movements. Western forces have also sent intelligence specialists to the country to aid in cyber defense.

Cyber attacks tied to the Russian government (or at least that of their ally Belarus) did take place shortly before the invasion, but did not do much real damage; some 70 local government websites were defaced, and the website of the Defense Ministry and two of the country’s larger banks were taken offline for part of a day by a distributed denial of service (DDoS) attack.

The Conti ransomware gang’s missive followed an NBC News story claiming that the Biden administration was considering large-scale cyber attacks on Russia as a response to the invasion, but the White House quickly denied that the story was at all accurate.

On the US side, the hacker collective Anonymous pledged to attack the Russian government. The group’s Twitter account claimed takedowns of Russian ISPs and the Russia Today (RT) news website, and claimed that it was in possession of login credentials for the Russian Ministry of Defense website. Attribution to Anonymous is more tricky than it is for something like the Conti ransomware gang, however, as it is a generalized moniker that anyone can use (and that some believe Western intelligence agencies may be using).