Why it’s hard to sanction ransomware groups
On February 25, the day after Russia invaded Ukraine, a prolific ransomware gang called Conti made a proclamation on its dark website. It was an unusually political statement for a cybercrime organization: Conti pledged its “full support of Russian government” and said it would use “all possible resources to strike back at the critical infrastructures” of Russia’s opponents.
Perhaps sensing that such a public alliance with the regime of Russian President Vladimir Putin could cause problems, Conti tempered its declaration later that day. “We do not ally with any government and we condemn the ongoing war,” it wrote in a follow-up statement that nonetheless vowed retaliation against the United States if it used cyberwarfare to target “any Russian-speaking region of the world.”
Conti was likely concerned about the specter of US sanctions, which Washington applies to people or countries threatening America’s security, foreign policy, or economy. But Conti’s attempt to resume its status as a stateless operation didn’t work out: Within days of Russia’s invasion, a researcher who would later tweet “Glory to Ukraine!” leaked 60,000 internal Conti messages on Twitter. The communications showed signs of connections between the gang and the FSB, a Russian intelligence agency, and included one suggesting a Conti boss “is in service of Pu.”