On Feb. 25, the day after Russia invaded Ukraine, a prolific ransomware gang called Conti made a proclamation on its dark web site. It was an unusually political statement for a cybercrime organization: Conti pledged its “full support of Russian government” and said it would use “all possible resources to strike back at the critical infrastructures” of Russia’s opponents.
Perhaps sensing that such a public alliance with the regime of Russian President Vladimir Putin could cause problems, Conti tempered its declaration later that day. “We do not ally with any government and we condemn the ongoing war,” it wrote in a follow-up statement that nonetheless vowed retaliation against the United States if it used cyberwarfare to target “any Russian-speaking region of the world.”
Conti was likely concerned about the specter of U.S. sanctions, which Washington applies to people or countries threatening America’s security, foreign policy or economy. But Conti’s attempt to resume its status as a stateless operation didn’t work out: Within days of Russia’s invasion, a researcher who would later tweet “Glory to Ukraine!” leaked 60,000 internal Conti messages on Twitter. The communications showed signs of connections between the gang and the FSB, a Russian intelligence agency, and included one suggesting a Conti boss “is in service of Pu.”
Yet even as Putin’s family and other Russian officials, oligarchs, banks and businesses have faced an unprecedented wave of U.S. sanctions designed to impose a crippling blow on the Russian economy, Conti was not hit with sanctions. Any time the U.S. Treasury Department sanctions such an operation, Americans are legally barred from paying it ransom.
The fact that Conti wasn’t put on a sanctions list may seem surprising given the widespread damage it wrought. Conti penetrated the computer systems of more than 1,000 victims around the world, locked their files and collected more than $150 million in ransoms to restore access. The group also stole victims’ data, published samples on a dark website and threatened to publish more unless it was paid.
But only a small handful of the legions of alleged ransomware criminals and groups attacking U.S. victims have been named on sanctions lists over the years by the Treasury Department’s Office of Foreign Assets Control, which administers and enforces them.
Putting a ransomware group on a sanctions list isn’t as simple as it might seem, current and former Treasury officials said. Sanctions are only as good as the evidence behind them. OFAC mostly relies on information from intelligence and law enforcement agencies, as well as media reports and other sources. When it comes to ransomware, OFAC has typically used evidence from criminal indictments, such as that of the alleged mastermind behind the Russia-based Evil Corp cybercrime gang in 2019. But such law enforcement actions can take years.
“Attribution is very difficult,” Michael Lieberman, assistant director of OFAC’s enforcement division, acknowledged at a conference this year. (The Treasury Department did not respond to ProPublica’s requests for comment.)
Ransomware groups are constantly changing their names, in part to evade sanctions and law enforcement. Indeed, on Thursday, a tech site called BleepingComputer reported that Conti itself has “officially shut down their operation.” The article, which cited information from a threat-prevention company called AdvIntel, laid out details about the status of Conti’s sites and servers but was unambiguous on a key point: “Conti’s gone, but the operation lives on.”
The evanescence of the Conti name underscores another reason it’s hard to sanction ransomware groups: Putting a group on a list of sanctioned entities without also naming the individuals behind it or releasing other identifying characteristics could cause hardship for bystanders. For example, a bank customer with the last name “Conti” might pop up as a sanctioned person, creating unintended legal exposure for that person and the bank, said Michael Parker, a former official in OFAC’s Enforcement Division. The government then would have to untangle these snarls.
By imposing sanctions, the federal government would hamstring victimized organizations, such as businesses and hospitals, that might suffer disclosure of trade secrets or other sensitive information, or might have to shut down if they couldn’t recover their locked files. If they could pay the ransom, the hacker would supply a key to unlock the files and pledge to delete stolen data.
But even without sanctions, victims are in a bind. Years before the invasion of Ukraine, OFAC imposed sanctions on the FSB, one of the successor agencies to the Soviet-era KGB. So even though Conti was not listed by name, its possible ties to the FSB or other listed Russian entities may have rendered it sanctioned anyway.
Between that and the bad optics of paying a group linked to Russia, most victims had not paid Conti’s ransom after the February proclamation, according to lawyers and negotiators who work with ransomware victims. They say the situation is confusing. “It certainly would be easier for us if the standard were to add particular ransomware groups to the OFAC list,” said Michael Waters, an attorney who frequently works with victims of ransomware. “Then we simply aren’t going to make payments to those groups. But it is much foggier than that.”
Some American victims continued to pay ransoms to Conti through a Canadian intermediary called Cypfer. CEO Daniel Tobok said Cypher paid Conti on behalf of about a dozen victims, more than a third of them American, after the war began. He said that some companies would have had to lay off employees or shut down entirely if they hadn’t paid Conti. Cypfer follows U.S. sanctions on groups listed by name, such as Evil Corp, Tobok said. “Either they’re on the sanctions list or they’re not,” he said of Conti. “I don't include morals here.”
The lack of clarity puts the onus on victims to discover if their attacker falls into a sanctioned category. Determining whether groups are operating out of North Korea or Iran, for example, or on behalf of the FSB is “very, very challenging because there’s obviously efforts to conceal that on the other side,” said Ryan Fayhee, a sanctions attorney who works with victims. The government makes it seem “as if this is a traditional commercial enterprise and you can just simply screen the criminal,” he added. “That’s not how it happens.”
The federal government has long discouraged the payment of ransom and in recent years has put the professionals who work with ransomware victims on notice. In October 2020 the Treasury Department issued an advisory saying that “companies that facilitate ransomware payments to cyber actors on behalf of victims” may “risk violating OFAC regulations.” A second advisory, in 2021, seemed to acknowledge that victims sometimes make payments that violate sanctions. In those cases, victims and their representatives may receive leniency if they quickly report the incident and payment to OFAC.
Since many victims in the past have been loath to report attacks to the FBI, fearing that the intrusion would become public or the FBI would instead investigate the company itself, the Treasury Department hoped the guidance would prompt more victims to work with law enforcement. That, in turn, could lead to more indictments and more sanctions.
That part of the strategy seems to be working: More victims are reporting incidents to law enforcement, according to Waters. Following the 2021 advisory, many insurers began requesting proof that policyholders making ransomware claims report the incidents to the FBI, he said. The insurers he works with heavily weigh decisions made by intermediaries such as negotiating firm Coveware. Following Conti’s proclamation about Russia, Coveware stopped making payments to the group, said its co-founder, Bill Siegel. Coveware continued to negotiate with Conti, allowing time for the victim to assess the situation, prepare a public relations strategy and make arrangements to notify people affected by the breach.
For its part, Conti laid low following the late February leak of its messages, then launched a final burst of intrusions in April, including a significant one against the Costa Rican government. But that attack, AdvIntel told BleepingComputer, seemed intended to provide cover while Conti protected its online infrastructure. Not unlike the Russian army in Ukraine, it seemed, Conti’s forces were making a tactical retreat in preparation for future attacks.
Update, May 24, 2022: This article has been updated to include comments, made after this story was produced for publication, from the CEO of a company that continued to pay ransom to Conti after it proclaimed its sympathy to Russia.
Daniel Golden contributed reporting.
Renee Dudley and Daniel Golden are the authors of “The Ransomware Hunting Team,” which will be published in October by Farrar, Straus and Giroux.