The Russian invasion of Ukraine has demonstrated the law of unintended consequences in a most unexpected way.\u00a0 By publicly backing the invasion, the heretofore most prolific ransomware group in the world inspired a backlash that appears to have temporarily crippled the group\u2019s ability to operate and given unprecedented insight into the world of ransomware operators.Conti ransomware 101Advances in cryptography have spawned new types of applications and business models.\u00a0 Unfortunately, one of them is ransomware.\u00a0\u00a0 Combined with cloud computing, you get an especially virulent variety, ransomware-as-a-service (RaaS).\u00a0 Among the practitioners of this dark art, the most successful in 2021 was Conti, a Russia-based group.The basic premise behind ransomware is to encrypt data on computer systems such that only the holder of the decryption key can decipher the data (in Conti\u2019s case, a variant of AES-256).\u00a0 The organization behind the attack then offers to sell the key to the victim.\u00a0 This is often combined with a dual-extortion scheme, where stolen data is threatened to be released.Conti has taken this basic \u201cbusiness model\u201d and refined it to the tune of almost $200 million in 2021.\u00a0The basic idea has a wide range of variations in the wild.\u00a0 The most prominent perpetrators of this kind of extortion are organized gangs.\u00a0 Many of these gangs are known to operate in Russia, with the tacit (or possibly explicit) approval of Russian security services.\u00a0 These often explicitly do not attack targets within Russia.Although the Colonial Pipeline attack of 2021 was not the work of Conti, it brought wide attention to the issue (and sweeping regulatory response).\u00a0 It saw a major piece of US oil infrastructure fall prey to ransomware, and ultimately the company paid out the 75 bitcoin ransom demand (the lion\u2019s share of which was later recovered by the US Federal Bureau of Investigation, though\u00a0how they did this is not known).Conti is egalitarian in picking their victims, including government institutions, corporations, and individuals.\u00a0 Although Conti (and other such groups) claim not to target hospitals, schools, and the like, Conti\u2019s attacks have included first-responder and medical systems, hampering their ability to deal with the Covid pandemic and a devastating attack on Ireland\u2019s Public Healthcare System.\u00a0 In the world of cybercrime, Conti seems to dispense with honor among thieves.According to reports, a steady stream of victims pay out their ransoms quietly, without fanfare.\u00a0 Meanwhile, national and international cybersecurity experts work to counter them and educate the public as to their approaches.On this global stage, a dramatic plot twist unfolded: Russia invaded Ukraine.\u00a0The unravelingThe Russian invasion of Ukraine inspired Conti to issue a threat to those who opposed the invasion, making clear its support for Putin\u2019s actions.\u00a0 This was a bold public statement of support for Putin\u2019s invasion, and it apparently exposed fault lines within Conti itself.\u00a0 In short order, someone within the organization, or who obtained access, began unleashing a torrent of jaw dropping leaks giving insight into the internals of the so-called company.These leaks are still arriving at the time of writing on this Twitter account.\u00a0 They include chat logs, source code, infrastructure details, and identities\u2014including GitHub profiles\u2014of alleged gang members.The chat logs are primarily from the Jabber service and purport to include communications from the highest levels of the Conti.\u00a0 In addition to clear-eyed discussion of cyberextortion as though it were a legitimate line of business, they reveal a nasty environment of bigotry, antisemitism and misogyny, as well as a banal setting similar in tone to remote office workers everywhere.It\u2019s a curious mix of the everyday and the astonishing that reveals a lot about the world of cybercrime.\u00a0 Perhaps the most telling is just how commonplace, work-a-day the process has become.\u00a0 The organization has developed hacking kits that make the process of compromising networks something even entry level folks can get into.\u00a0 (Amazingly, some new hires are even led to believe that they are working on legitimate white hat penetration testing.)The logs also reveal an intense interest in cryptocurrencies like Bitcoin within chats soliciting ideas about how best to get into crypto.\u00a0 These ambitions include building their own decentralized systems, possibly for expediting the exchange of ransoms, or perhaps as a new means of driving income, or perhaps simply because it\u2019s the cool thing to do these days.To build our own, where it will already be possible to stick NFT, DEFI, DEX, and all the new trends that are and will be. So that others can already create their own coins, exchanges, and projects on our system. \u2014 Leaked Conti Chat LogsConti is constantly updating their capabilities to reflect the latest vulnerabilities, for example, Conti was all over the Log4Shell vulnerability.The leaks also reveal more about the ties of Conti to Russia and the FSB.The sources are posted to VirusTotal in this tweet.\u00a0 BleepingComputer has successfully compiled and run the locker\/decryptor package without issue.\u00a0\u00a0 The leaks also include sources for the notorious TrickBot malware, a kind of all-in-one hacking package.Hacktivists have their dayThis is not the first time the group has been offered a taste of their own medicine.\u00a0 In 2021, a disgruntled \u2018partner\u2019 revealed other information about the group.This recent leak, however, is of a more thoroughgoing character, and has apparently compromised the ability of the group to function.\u00a0 Although experts think the group will reconfigure to continue its activities, it\u2019s not clear they will be able to operate at the same level as previously seen.\u00a0 They dismantled a significant portion of their infrastructure in response to the leaks.Much of the leak is in Cyrillic, and there is a lot of it.\u00a0 It\u2019s an epic undertaking to parse and contextualize the information, especially as regards the practical technical information it provides for identifying and counteracting ransomware operators, but it\u2019s clear the information is already having a profound effect on Conti, whose top boss has reportedly gone into hiding as a result.This is not the only instance of hacktivism inspired by the Ukraine invasion.\u00a0 For instance, the @beehivecybersec group posted a successful attack that brought the Russian foreign ministry website down.\u00a0 A broader implication here is the power of sentiment in the global community to sway the force of cybersecurity and hacking activity one way or the other.\u00a0 There is an interplay of the actual and virtual worlds here, and the invasion may have altered the shape of things in a fundamental way going forward.By dividing the previous unity found in not attacking Slavic nations, the invasion has introduced a rift into the ransomware community. \u00a0Conti will probably reconfigure itself and return to its business of extortion, but the landscape in which it operates may never look the same.The role that cybersecurity and cybercrime play in world events grows ever more prominent, as made clear in a March 21, 2021 announcement from US President Biden, where the threat of cyberattack from Russia is clearly spelled out.The US Cybersecurity and Infrastructure Security Agency has issued an ongoing advisory covering the general cybersecurity situation, and a specific one for Conti, with up-to-date alerts.\u00a0 These advisories are updated to reflect developments as the agency incorporates information from the leaks, including indicators of compromise as well as data on the various elements of their tactics for gaining access to networks.