Select Page

World’s ‘Most Active’ Ransomware Gangs Based in Russia Targeting Ukraine

Mar 24, 2022 | Media Releases & Appearances

Earlier this month, Robert Potter spoke to 6PR Mornings about a recent increase in cyber attacks coming out of Russia.

Listen to interview> Here

Transcript excerpt:

Liam Bartlett (6PR Mornings Host): We spoke late last week just as the invasion of Ukraine was beginning from Russia. We talked about whether or not sanctions that any of the Western countries were enacting would be effective. And of course since those conversations there have been another round of sanctions and they look as though they may be starting to have some impact; well not an impact on Vladimir Putin directly but hopefully down the track. But in the meantime it’s the other way around that we need to worry about according to some cyber experts. There is a number of ransomware gangs who are threatening cyber attacks on critical infrastructure of those countries which are retaliating against Russia, which are fighting back against Putin. One of those groups is called the Conti Ransomware group and is supposed to be one of the biggest most prolific groups in the world who are capable of this sort of menace. Joining us this morning is Robert Potter. Robert is the CEO of defence consultancy Internet 2.0. Robert, good morning.

Robert Potter (Internet 2.0 Co-CEO): Good morning.

Liam Bartlett (6PR Mornings Host):  Thanks very much for joining us, Robert. What can you tell us about this group, Conti Ransomware.

Robert Potter (Internet 2.0 Co-CEO: Conti hits about 30 institutions across government and the private sector every month. They are one of the largest ransomware collectives. They’re domiciled in Russia and over time that group has become more and more ideological, they have become more and more pro-Kremlin. They’ve certainly hit targets in Australia and New Zealand although recently most of their priority targets have been in the United States and Europe. They kind have seemed to have changed who they are focussed on at the moment. Although that might change back. Late last year they hit a number of targets in Australia including CS Energy in Queensland and Finite Recruitment, which is a defence recruitment company.

Liam Bartlett (6PR Mornings Host): Do they badge themselves Conti? Is that the title that they choose?

Robert Potter (Internet 2.0 Co-CEO):  Yes, that’s the name that they chose. They’ve got a bunch of names, most of them are terrible. Cyber security is bad at naming things. I think the worst one I heard for them is ‘Wizard Spider’.

Liam Bartlett (6PR Mornings Host): Right, hah.

Robert Potter (Internet 2.0 Co-CEO):  They [Conti] are very motivated. They put out a statement over the weekend that was really interesting where they said that they were now entering the… they were taking their masks off and going to be identifying themselves as a Russian supporting institution. A couple of hours after that they put out another statement. It was more ambiguous saying that they would retaliate against attacks on Russia but they weren’t operating on behalf of the country. But the damage from a messaging point of view was already done. They and a number of other ransomware groups had come along and said now we’re going to be acting on behalf of the Russian government.

Liam Bartlett (6PR Mornings Host): And so when you say they are aligned with the Kremlin, Robert, are they state backed? Or do we know anything about the people behind them? Or are they doing that at the bidding of the Russian government? Or are they just a bunch of crooks who make a lot money from this?

Robert Potter (Internet 2.0 Co-CEO):  It’s more like that they have been left alone by the Russian government as long as they follow certain rules. That was the original deal was that they were free to make money and a be a criminal enterprise holding people up for ransom. But over time they have now been sucked into, more closely into the government of the country. And they have started making all these statements late last year about attacking America and retaliating for cyber-attacks on other ransomware groups. So, they have started to find their voice and get more bold. Previously they used to be really ambiguous, they had all of their stuff on the dark web. Now they just have a normal website and they release public statements. So, the way they have been engaging has changed dramatically. There is a couple of ways that that’s going to be problematic for us is that we are now going to see, you know, they’re hitting 30 targets a month people are going to interpret even their normal operations through the prism of Ukraine. And the other component that is very interesting is from an insurance point of view where a lot of cyber insurance companies won’t cover state sponsored cyber-attacks. They’ll cover you against criminal cyber-attacks. If you have a cyber insurance policy, you’ll want to be checking that pretty quickly to make sure that you’re still covered against Conti because now that they are saying they are a state based actor you may find yourself in a situation where your insurance provider doesn’t want to provide for your incident response.

Liam Bartlett (6PR Mornings Host): Well, that’s pretty fascinating, isn’t it? Where do you put them [Conti] in organised crime? I mean, do you know if they make a lot of money?

Robert Potter (Internet 2.0 Co-CEO): They do make a lot of money. They’ve made several hundred million dollars out of ransomware. Ransomware is still not the biggest form of cybercrime, that’s just normal Business Email Compromise. But it’s rising mostly because Bitcoin has made it really easy for them to transit their payments in a way that’s difficult to track, not impossible, but difficult. So, they’ve made quite a bit of money out of that.

Liam Bartlett (6PR Mornings Host): So, for law enforcement or intelligence agencies, I guess it goes to that level, in terms of trying to combat these people, it would be very hard to track them down personally, wouldn’t it?

Robert Potter (Internet 2.0 Co-CEO): It is hard because they have been safe havened by Russia. In other countries there are ransomware groups in Latin America, in Africa and in Asia where we have had tremendous success from a law enforcement point of view of breaking up the groups because when there is less support from the police to enable them to act, we have been able to get people arrested. But it is much harder in Russia because of the fact that the Russian government has been prepared to turn a blind eye and now accept support from them.

Liam Bartlett (6PR Mornings Host): Well, we heard the Prime Minister last week, didn’t we, Prime Minister Scott Morrison, urging companies here in Australia to take an enhanced cybersecurity position, which sort of seemed a little bit melodramatic at the time but he was spot on, wasn’t he?

Robert Potter (Internet 2.0 Co-CEO): He is and there is a lot of… So you think of cyber as kind of two domains. You’ve got state directed coming down and then you have inspired coming up. The Ukrainian cyber defence has been really interesting to watch because Ukraine doesn’t have a cyber agency really, but they have been able to attract over 100,000 people to their cyber volunteers groups to provide insight into their own cyber operations. And they have been tremendously effective in taking down a number of Russian websites over the past few days. So, you can see that even though those are obviously not state directed, they are people who are just like volunteering to help the Ukrainians. And you are seeing the same thing on the Russian side with Conti trying to kind of replicate that. They’re more technologically sophisticated than the average Ukrainian cyber volunteer, obviously, but there is probably no way near as many of them.

Liam Bartlett (6PR Mornings Host): Yeah, no, it’s fascinating. All right, we hope that no local businesses here get caught in the web. Thanks very much for having a chat to us about it today, Robert, I appreciate the insight.

Robert Potter (Internet 2.0 Co-CEO): Not a problem. Thanks for your time.

Liam Bartlett (6PR Mornings Host): Robert Potter, cyber security expert. He’s the CEO of defence consultancy, Internet 2.0. And of course, the Australian cyber security centre in Canberra warning all local businesses to be on alert for increased attacks, especially from those coming from groups like Conti.

[ENDS]