By James Pearson and Raphael Satter
LONDON/WASHINGTON (Reuters) – Warnings that pro-Russian ransomware gangs would snarl networks in Ukraine and its allies have so far failed to materialise amid disarray among the criminal underworld often behind such attacks and fears insurers would not pay out.
Conti, one of the most notorious Russia-based cybercrime groups known for using ransomware to extort millions of dollars from U.S. and European companies, announced its “full support” for the government of President Vladimir Putin last week – a position it later walked back as they themselves became victims of a leak.
“We do not ally with any government and we condemn the ongoing war,” the group said in a later statement on its website.
Hours later, a Twitter account called “ContiLeaks” appeared, and published what it said was internal chat records from the criminal group.
The secret chats were leaked by a Ukrainian cybersecurity researcher, according to Vitali Kremez, the chief executive of Florida-based cybersecurity firm AdvIntel, and Alex Holden, the founder of Wisconsin-based Hold Security. Reuters could not independently verify the authenticity of the material.
Kremez and Holden said they were both in touch with the researcher but that he did not wish to speak to the media because he was still in Ukraine.
According to Kremez, the researcher had access to the logs for some time but the trigger for going public was Conti’s decision to swear allegiance to Moscow as Russian forces invaded Ukraine.
“He was offended by what they said,” he told Reuters.
In the months leading up to Putin’s invasion of Ukraine, Western intelligence agencies warned of chaos caused by a destructive “spillover” of any potential Russian cyberattacks on Ukraine’s national infrastructure.
Last month, the Conti group was involved in high-profile attacks against KP Snacks, a maker of popular British savoury snacks, and at least one oil storage company that caused delays in some European oil shipments.
To be sure, U.S. Senate Intelligence Committee Chairman Mark Warner said top Russian hacking groups identified by the United States – the A Team as he called it – had not been used in a major cyberattack since the invasion. “It does not appear that they’ve been activated,” he told Reuters on Monday.
On Sunday, a second notorious ransomware gang called Lockbit, also believed by cybersecurity experts to have members in Russia, released a statement declaring their neutrality in the conflict with Ukraine.
“For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work,” the group said on its website.
“We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts.”
One reason for that could be a loophole in cybersecurity insurance policies.
Experts and industry-watchers say the more sophisticated digital extortion gangs tend to focus on insured organisations because the victims already have a policy to make the payoff, making them less likely to bargain for a lower ransom or refuse to pay.
But insurance policies typically have exclusions for what is described as a “force majeure event” – such as an act of war.
The legal precedent around what exactly that means is still developing, but a cyberattack claimed by a gang aligned with a belligerent power like Russia could easily fall into that category, said Holden of Hold Security.
“In ransomware attacks, most companies call their ransomware insurer,” he said. “You can imagine that insurers would say, ‘force majeure’ or ‘this is a case of warfare – we won’t cover it’.”
There are other reasons too. Many gangs are laser-focused on making money and – even if their membership is not interested in leaving Russia – they are wary of attracting the negative attention that comes with openly allying with a hostile state.
“Our government would start designating them as enemy combatants or terrorists,” Holden said.
(Reporting by James Pearson in London and Raphael Satter in Washington; Additional reporting by Jonathan Landay and Christoper Bing in Washington; Editing by Chris Sanders and Matthew Lewis)