A ransomware group paid the price for backing Russia

Illustration by Carlo Cadenas / The Verge

As Russia's invasion of Ukraine enters its fifth day, a coalition led by the US and Europe has mounted a coordinated response focused on financial sanctions and military aid. While the conflict grows in scale and intensity, organizations far beyond the apparatus of military and government are being drawn in.

In Russia, the borders between the Russian intelligence services and the hackers are sometimes porous, and one group in particular has been made to pay for its allegiance to the Putin regime.

On Friday, the notorious ransomware gang Conti surprised many observers by explicitly casting its lot with Putin's military agenda, declaring full support for the Russian government and threatening to mount attacks on critical infrastructure of any adversaries launching cyberattacks against Russia.

On February 27th, an anonymous individual leaked a cache of chat logs from the organization, revealing a huge amount of previously unpublished information about the group's internal workings.

The data contains over a year's worth of chat logs from the open-source instant messaging service, containing messages between at least 20 chat handles presumed to belong to members of the gang. The logs seem to confirm a chain of command between Conti and Russian intelligence agencies. According to the chat logs, members of the group tried to hack a Bellingcat contributor on the orders of Russia's main internal security service.

Russia has been criticized for hosting cybercriminal groups in the past, but with certain exceptions, they are allowed to operate with impunity provided they refrain from attacking domestic targets. There are signs that the dynamics of the Ukraine invasion are turning it into a liability, and that proximity to the Russian government has been an advantage for cybercriminals in the past.

The founder of Hold Security said that the logs had been leaked by a Ukrainian security researcher who had been able to penetrate the Conti gang.

This is a Ukrainian citizen who is doing this as part of his war against cybercriminals who support the Russian invasion. The leaker's identity could not be revealed without endangering his safety.

According to The Record, the chat logs contain addresses where payments were made to the Conti gang, as well as messages detailing negotiations between the gang and companies that had not disclosed a ransomware incident.

The logs contained details of the technical infrastructure, logistical operations, discussions of zero-day vulnerabilities, and internal tooling, as well as a version of the logs that was translated into English. It was difficult to assess the long-term impact of the release of the logs given the short time frame.

Chester Wisniewski, principal research scientist at Sophos, said that although many of the most prolific groups are aligned with Russia, many of them are not. Many of them may have decided to steer clear of the conflict rather than support the Russians.

The polarizing nature of the conflict means there is less cybercriminal activity than we expected.

The international makeup of LockBit's organization is said to have caused the group to not target Western infrastructure. The statement declared neutrality in the conflict.

The message posted by LockBit said that it was just business and we were all political.

Some hacktivist groups have rushed to join the cause, despite the fact that the gangs have been reluctant to choose sides. A group operating out of the country has claimed to be disrupting the movement of military units by shutting down railways in the country, after the government in the country decided to support Russia by sending troops over the Ukrainian border.

The hacking collective claimed responsibility for a number of hacks against Russian government websites and media channels, as well as a declared cyber war against the Russian government.

Cyber security professionals have cautioned against escalating the conflict because other groups with offensive hacking capabilities may be tempted to join. If targets are tied to infrastructure or other critical services with applications beyond the military, cyberattacks can have unforeseen consequences.

Wisniewski said he was worried about the damage done by the good guys.