On February 25, the day after Russia invaded Ukraine, a prolific ransomware gang called Conti issued a proclamation on its dark website. It was an unusual political statement for a cybercrime organization: Conti pledged his “full support for the Russian government” and said he would use “all possible resources to retaliate against critical infrastructure” of opponents of Russia.
Perhaps sensing that such a public alliance with Russian President Vladimir Putin’s regime could cause problems, Conti tempered his statement later in the day. “We do not ally ourselves with any government and we condemn the ongoing war,” he wrote in a follow-up statement that nonetheless swore retaliation against the United States if it used cyber warfare to target “any region Russian-speaking world”.
Conti was likely concerned about the specter of US sanctions, which Washington applies to people or countries that threaten US security, foreign policy or the economy. But Conti’s attempt to reclaim its stateless operation status did not work: Days after the Russian invasion, a researcher who would later tweet “Glory to Ukraine!” leaked 60,000 internal Conti messages on Twitter. The communications showed signs of links between the gang and the FSB, a Russian intelligence agency, and included one suggesting that a Conti boss “is in the service of Pu”.
Yet even as Putin’s family and other Russian officials, oligarchs, banks and businesses faced an unprecedented wave of US sanctions designed to deal a crippling blow to Russia’s economy, Conti was unscathed. of penalties. Whenever the US Treasury Department sanctions such an operation, Americans are legally prohibited from paying a ransom.
The fact that Conti hasn’t been put on a sanctions list might seem surprising given the extensive damage he has caused. Conti penetrated the computer systems of over 1,000 victims worldwide, locked their files and collected over $150 million in ransoms to restore access. The group also stole victims’ data, posted samples on a dark website, and threatened to post more unless they were paid.
But only a small handful of the legions of suspected criminals and ransomware groups attacking American victims have been named on sanctions lists over the years by the Treasury Department’s Office of Foreign Assets Control, which administers and enforces them. .
Putting a group of ransomware on a sanctions list isn’t as simple as it sounds, current and former Treasury officials said. Sanctions are only as good as the evidence behind them. OFAC relies primarily on information from intelligence and law enforcement agencies, as well as reports from the media and other sources. When it comes to ransomware, OFAC has typically used evidence from indictments, like that of the alleged mastermind behind the Russian-based cybercrime gang Evil Corp in 2019. But such enforcement actions law can take years.
“Attribution is very difficult,” Michael Lieberman, deputy director of OFAC’s law enforcement division, acknowledged at a conference this year. (The Treasury Department did not respond to requests for comment from ProPublica.)
Ransomware groups constantly change their names, partly to evade sanctions and law enforcement. Indeed, on Thursday, a tech site called BleepingComputer reported that Conti himself had “officially shut down their operation.” The article, which cited information from a threat prevention company called AdvIntel, presented details on the status of Conti’s sites and servers, but was unambiguous on one key point: “Conti is gone, but l ‘continuous operation’.
The evanescence of the Conti name underscores another reason why it is difficult to sanction ransomware groups: Putting a group on a list of sanctioned entities without also naming the individuals behind it or disclosing other identifying characteristics could cause difficulties for passers-by. For example, a bank customer with the last name “Conti” could appear as a sanctioned person, creating unintended legal exposure for that person and the bank, said Michael Parker, a former official with the division of the OFAC app. The government should then untangle these grunts.
By imposing penalties, the federal government would cripple victimized organizations, such as businesses and hospitals, that may suffer the disclosure of trade secrets or other sensitive information, or may have to shut down if they cannot recover their locked files. If he could pay the ransom, the hacker would provide a key to unlock the files and pledge to delete the stolen data.
But even without sanctions, the victims are in a bind. Years before the invasion of Ukraine, OFAC imposed sanctions on the FSB, one of the successor agencies to the Soviet-era KGB. So even though Conti was not listed by name, his possible ties to the FSB or other listed Russian entities may have made him sanctioned anyway.
Between that and the poor optics of paying a Russian-linked group, most victims hadn’t paid Conti’s ransom after the February proclamation, according to lawyers and negotiators who work with ransomware victims. They say the situation is confusing. “It would certainly be easier for us if the norm was to add particular ransomware groups to the OFAC list,” said Michael Waters, an attorney who frequently works with ransomware victims. “In this case, we are simply not going to make payments to these groups. But it’s much foggier than that.
The lack of clarity forces victims to find out if their abuser falls into a sanctioned category. Determining whether groups are operating from North Korea or Iran, for example, or on behalf of the FSB is “very, very difficult because there are obviously efforts to cover this up on the other side,” Ryan Fayhee said. , a sanctions attorney who works with victims. The government makes it look “like it’s a traditional business venture and you can just filter out the criminal”, he added. “That’s not how it goes.”
The federal government has long discouraged ransom payments and in recent years has warned professionals who work with ransomware victims. In October 2020, the Treasury Department issued an advisory stating that “companies that facilitate ransomware payments to cyber actors on behalf of victims” may “risk violating OFAC regulations.” A second notice, in 2021, seemed to acknowledge that victims sometimes make payments that violate sanctions. In these cases, victims and their representatives may qualify for leniency if they promptly report the incident and payment to OFAC.
Since many victims in the past have shied away from reporting attacks to the FBI, fearing that the intrusion will become public or that the FBI will instead investigate the company itself, the Treasury Department hoped that the guidelines encourage more victims to work with law enforcement. This, in turn, could lead to more charges and more penalties.
This part of the strategy appears to be working: More victims are reporting incidents to law enforcement, according to Waters. Following the 2021 advisory, many insurers began asking for proof that policyholders making ransomware claims are reporting the incidents to the FBI, he said. The insurers he works with weigh heavily in the decisions made by intermediaries such as trading firm Coveware. Following Conti’s Russia Proclamation, Coveware stopped making payments to the group, co-founder Bill Siegel said. Coveware continued to negotiate with Conti, allowing time for the victim to assess the situation, prepare a public relations strategy, and arrange to notify those affected by the breach.
For his part, Conti kept a low profile following the leak in late February of his messages, then launched a final round of intrusions in April, including a major one against the Costa Rican government. But this attack, AdvIntel told BleepingComputer, appeared intended to provide cover while Conti protected its online infrastructure. Much like the Russian army in Ukraine, it seemed, Conti’s forces were conducting a tactical retreat in preparation for future attacks.