PHOTO FILE: Resident stands in front of the national flag of Ukraine as part of the “Day of Unity” in the center of Kiev, Ukraine, February 16, 2022 REUTERS / Carlos Barria

March 1, 2022

James Pearson and Raphael Sutter

LONDON / WASHINGTON (Reuters) – Warnings that pro-Russian extortionist gangs will cover networks in Ukraine and its allies have not yet materialized amid unrest in the underworld, which is often behind such attacks, and fears that insurers will not pay.

Conti, one of Russia’s most notorious cybercrime groups, known for using extortionists to extort millions of dollars from American and European companies, last week announced its “full support” for President Vladimir Putin’s government, a position she later responded to. they themselves became victims of the leak.

“We are not in alliance with any government and condemn the ongoing war,” the group said in a later statement on its website.

A few hours later, a Twitter account called “ContiLeaks” appeared, in which records of the criminal group’s internal chat were published.

The secret chats were leaked to Ukrainian cybersecurity researchers, according to Vitaly Kremez, CEO of cybersecurity firm AdvIntel, based in Florida, and Alex Holden, founder of Hold Security in Wisconsin. Reuters was unable to verify the authenticity of the material.

Kremez and Holden said they both contacted the researcher, but he did not want to talk to the media because he is still in Ukraine.

According to Kremez, the researcher had access to the journals for some time, but the trigger for publication was Conti’s decision to swear allegiance to Moscow when Russian troops invaded Ukraine.

“He was offended by what they said,” he told Reuters.

For several months before Putin’s invasion of Ukraine, Western intelligence services warned of chaos caused by the devastating “overflow” of any potential Russian cyberattacks on Ukraine’s national infrastructure.

Last month, the Conti group was embroiled in high-profile attacks against KP Snacks, a maker of popular British savory snacks, and at least one oil storage company, which has delayed some oil supplies to the European country.


Of course, the chairman of the U.S. Senate Intelligence Committee, Mark Warner, said that the main Russian hacker groups identified by the United States – Team A, as he called it – were not used in a major cyber attack after the invasion. “They don’t seem to have been activated,” he told Reuters on Monday.

On Sunday, a second infamous group of extortionist programs called Lockbit, whose members cybersecurity experts say are also in Russia, issued a statement declaring its neutrality in the conflict with Ukraine.

“For us, it’s just business, and we’re all apolitical. We are only interested in money for our harmless and useful work, ”the group said in a statement on its website.

“We will never and under no circumstances engage in cyber attacks on critical infrastructures of any country in the world and in any international conflicts.”

One reason for this may be a loophole in cybersecurity insurance policies.

Experts and observers argue that more advanced groups of digital extortion tend to focus on insured organizations because victims already have a policy to get paid, making them less likely to bargain for less ransom or refuse to pay.

But insurance policies usually have exceptions to what is described as a “force majeure event” – such as a military act.

The legal precedent as to what that means is still evolving, but the cyberattack claimed by a gang linked to a belligerent state like Russia could easily fall into that category, Holden of Hold Security said.

“In ransomware attacks, most companies call them ransomware insurers,” he said. “You can imagine insurers saying ‘force majeure’ or ‘this is a case of war – we won’t cover it.’

There are other reasons. Many gangs are focused on making money and – even if their members are not interested in leaving Russia – they are afraid to attract the negative attention that comes with an open alliance with an enemy state.

“Our government will start calling them enemy combatants or terrorists,” Holden said.

(Report by James Pearson in London and Raphael Sutter in Washington; additional reports by Jonathan Landai and Christopher Bing in Washington; edited by Chris Sanders and Matthew Lewis)

Previous articleAirbnb offers free housing to 100,000 Ukrainian refugees
Next articleAmazon is closing 68 stores, stopping Amazon Books, a 4-star Pop Up store