Russian Ransomware Attacks on Ukraine Muted by Leaks, Insurance Woes

Warnings that pro-Russian ransomware gangs would snarl networks in Ukraine and its allies have so far failed to materialize, owing to disarray in the criminal underworld that is often behind such attacks, as well as fears that insurers would refuse to pay out.

Source: Reuters | Published on March 2, 2022

Hackers using laptop computers to penetrate security systems to steal big data from the server room

Conti, one of the most notorious Russia-based cybercrime groups known for using ransomware to extort millions of dollars from US and European companies, declared its "full support" for President Vladimir Putin's government last week - a position it later retracted after becoming the victim of a leak.

"We do not ally with any government and we condemn the ongoing war," the group said in a later statement on its website.

Hours later, a Twitter account called "ContiLeaks" appeared, claiming to have obtained internal criminal group chat records.

According to Vitali Kremez, CEO of Florida-based cybersecurity firm AdvIntel, and Alex Holden, founder of Wisconsin-based Hold Security, the secret chats were leaked by a Ukrainian cybersecurity researcher. Reuters was unable to independently confirm the authenticity of the material.

Kremez and Holden both stated that they were in contact with the researcher, but that he did not want to speak to the media because he was still in Ukraine.

According to Kremez, the researcher had access to the logs for some time, but it was Conti's decision to swear allegiance to Moscow as Russian forces invaded Ukraine that prompted the researcher to make them public.

"What they said offended him," he told Reuters.

In the months leading up to Putin's invasion of Ukraine, Western intelligence agencies warned of the devastation that could result from any potential Russian cyberattacks on Ukraine's national infrastructure.

Last month, the Conti group was involved in high-profile attacks on KP Snacks, a popular British savory snack manufacturer, and at least one oil storage company, causing delays in some European oil shipments.


To be sure, U.S. Senate Intelligence Committee Chairman Mark Warner stated that top Russian hacking groups identified by the US - dubbed the "A Team" - had not been used in a major cyberattack since the invasion. "It does not appear that they have been activated," he said on Monday to Reuters.

On Sunday, a second notorious ransomware gang known as Lockbit, which is also thought to have members in Russia, issued a statement declaring their neutrality in the conflict with Ukraine.

"It's just business for us, and we're all apolitical. We are only interested in monetary compensation for our non-harmful and beneficial work "According to the group's website.

"Under no circumstances will we participate in cyber-attacks on critical infrastructures of any country in the world, nor will we engage in any international conflicts."

One possible explanation is a flaw in cybersecurity insurance policies.

According to experts and industry observers, more sophisticated digital extortion gangs target insured organizations because the victims already have a policy to pay the ransom, making them less likely to bargain for a lower ransom or refuse to pay.

However, most insurance policies exclude coverage for what is known as a "force majeure event," such as a war.

The legal precedent for what that entails is still being developed, but a cyberattack claimed by a gang aligned with a belligerent power like Russia could easily fall into that category, according to Holden of Hold Security.

"In ransomware attacks, most businesses contact their ransomware insurer," he explained. "It's easy to imagine insurers saying 'force majeure' or 'this is a case of warfare – we won't cover it.'"

There are other reasons as well. Many gangs are laser-focused on making money, and they are wary of attracting the negative attention that comes with openly allying with a hostile state, even if their membership is not interested in leaving Russia.

"Our government would begin to designate them as enemy combatants or terrorists," Holden explained.