On February 25th, the day after Russia invaded Ukraine, a gang called Conti made a statement on its dark website. It was an unusual political statement for a cybercrime organization, as it pledged its full support of the Russian government and said it would use all possible resources to strike back.

It wrote in a follow-up that it did not ally with any government and that it condemns the ongoing war.

The threat of U.S. sanctions, which Washington applies to people or countries threatening America's security, foreign policy, or economy, is likely to be a concern for Conti. Within days of Russia's invasion, a researcher who had been studying the operation leaked information about its status as a stateless operation. There were signs of a connection between the gang and the Russian intelligence agency, the FSB, in the communications.

Even as Putin's family and other Russian officials have faced an unprecedented wave of U.S. sanctions designed to cripple the Russian economy, Conti was not hit with sanctions. Americans are not allowed to pay for an operation that is sanctions by the U.S. Treasury Department.

It may seem surprising that Conti wasn't put on a sanctions list. More than a thousand victims were penetrated, and more than $150 million was collected in ransoms to restore access. The group stole victims' data, published samples on a dark website, and threatened to publish more unless they were paid.

Advertisement

The Office of Foreign Assets Control, which administers and enforces the sanctions, has only named a small number of the groups attacking the U.S.

Current and former Treasury officials said putting a group on a sanctions list isn't easy. Sanctions are only as good as the evidence behind them. Intelligence and law enforcement agencies are some of the sources OFAC relies on. Evidence from criminal indictments has been used by OFAC when it comes to ransomware. Law enforcement actions can take a long time.

At a conference this year, Michael Lieberman, assistant director of OFAC's enforcement division, acknowledged thattribution is very difficult. The Treasury Department did not reply to ProPublica's requests.

The groups are changing their names in order to evade sanctions. On Thursday, a tech site called BleepingComputer reported that a threat-prevention company called AdvIntel had information about the status of Conti.

It is hard to sanction groups that do not name the individuals behind them or release other identifying characteristics, because it could cause hardship for bystanders. A bank customer with the last name Conti might be added to the sanctions list, creating legal exposure for the bank and the customer. The government would have to untangle the snarls.