2 min

Russia-Ukraine conflict: ransomware groups in a difficult position

Several criminal groups have taken political stances following Russia’s invasion of Ukraine. These stances reveal cosmopolitan teams, united mainly by financial interests and hampered by radical political positions.

Dissension in the ranks of Conti 

On 25 February 2022, the operators of the Conti ransomware began by posting on their blog their “full support of Russian government,” promising to retaliate against anyone conducting a cyberattack or any war activities against Russia. 

Two days later, on 27 February 2022, this first post was replaced by a second, much more moderate post. Although the group’s official position remains pro-Russian, the second post distanced it from Moscow and stated that they [the group’s members] “do not ally with any government” and that they “condemn the ongoing war.” 

They justify their position by the fact that “the West is known to wage its wars primarily by targeting civilians” and condition their retaliation on possible U.S. threats to “the well-being and safety of peaceful citizens.” Thus, they watered down and legitimised their post by placing themselves in the position of defenders of the victims of the conflict.

On the same day, a ransomware affiliate created the @contileaks Twitter account to start posting messages from the criminal group’s internal messaging system. In this message, also published on Twitter, the author promises further data leaks and explains his action by his support for Ukraine. These posts—which included pseudonyms, bitcoin addresses, PGP keys, etc.—were made on 1 March. 

Multinational crime companies 

The internal conflict and the reversal in the official position of the Conti Group can be put into perspective by reading the recent indictments against the cybercriminal groups. 

Indeed, in November 2021, in the context of the attacks attributed to the operators of the REvil ransomware, the American justice system brought charges against a Russian citizen and a Ukrainian citizen, while Europol had announced the arrest of twelve suspects in Ukraine and Switzerland the previous month. The groups therefore recruit their members widely, forming cosmopolitan teams.

This diversity can be seen in the position of the LockBit ransomware operators, who claim to be ‘apolitical’. After a long list of nationalities, they announce: “For us, it is just business. […] We will never, under any circumstances, take part in cyber-attacks against a country’s critical infrastructures […] or engage in any international conflicts.”

In recent years, these cybercriminal groups have organised themselves into affiliate structures led by operators who are now seeking to take sides. However, although these operators provide their affiliates with the technical means to carry out computer attacks (ransomware and other malware), they often cannot force them to take sides. These affiliates are not always of the same nationality and do not share the same political ideas. Their only common motivation is financial. 

CSIRT Lexfo

Send this to a friend