The threat of ransomware is only increasing amid Russia’s conflict with Ukraine, and electric utilities must be ready for the worst-case scenario, cybersecurity experts said last week at a SERC Reliability-hosted webinar.

In The Scoop: Ransomware, representatives from the law enforcement, electric industry, and cybersecurity communities discussed the changes in the worldwide threat landscape since Russia invaded Ukraine in February. Although fears that a global cyber offensive against Ukraine’s allies have yet to be realized, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has continued to warn about the capabilities of both Russia and the cybercrime groups with which it is unofficially affiliated. (See CISA Issues Fresh Russia Cyber Warnings.)

Those criminal groups took up a significant amount of attention at the webinar, with participants noting that some prominent threat actors seem to have added political allegiance to their traditional financial motivations.

“We’ve already seen some Russian-speaking ransomware groups voice their support for Russia, with the Conti ransomware gang showing their support within hours of Russia’s invasion into Ukraine,” said Lauren Cirillo, a cyber threat intelligence analyst with the Electricity Information Sharing and Analysis Center (E-ISAC). “Other ransomware and data breach groups such as Karma, Freecivilian, and CoomingProject have declared support for Russia as well.”

Cirillo pointed to last year’s ransomware attack on Colonial Pipeline, which shut down the company’s entire 5,500-mile system carrying almost half the supply of fuel products for the eastern U.S., as an early indication of the kind of disruption that ransomware groups could accomplish. The FBI attributed the attack to a criminal gang based in Eastern Europe called Darkside, which demanded a ransom payment of 75 bitcoin (then about $4.4 million).

“I personally find it fascinating that Colonial Pipeline paid the ransom in its entirety on the day of the ransomware’s deployment in their environment, but it still took five days to fully restart the pipeline,” Cirillo said. “This doesn’t include returning the pipeline supply chain to the state it was in before, which took several additional days to accomplish.”

Media reports following the incident claimed that while DarkSide provided Colonial with a decryption tool in exchange for payment as promised, the tool itself was too slow to be usable and the company had to rely on its backups to restore the affected systems. In testimony to Congress, Colonial’s CEO neither confirmed nor denied these stories. (See Colonial CEO Welcomes Federal Cyber Assistance.)

Despite an uptick in ransomware activity over the last year, Cirillo acknowledged that the E-ISAC has seen no sign of a sustained effort against the electric sector. One reason may be that the majority of actors in this space operate on a ransomware-as-a-service model, in which a core group develops and operates the ransomware while recruiting affiliates to hack into networks and deploy the app.

Cirillo said that for these organizations, “service definitely [appears] to be one of the top priorities,” and developers take pains to guard their reputations. For example, both DarkSide and its apparent successor group BlackMatter have promised to avoid attacking civilian infrastructure such as hospitals, water treatment facilities, and nuclear electric plants. Other groups have made similar pledges, such as donating their profits to charity.

However, this too may be changing, particularly among the ransomware groups that have aligned themselves with Russia’s invasion of Ukraine. Conti in particular became “one of the most heedless and unpredictable” actors in this space last year, with the E-ISAC recording multiple reports of attack attempts against small and medium-sized utilities, along with ransom demands far above those seen from other operators.

Conti appeared to be dealt a major blow earlier this year after a former member allegedly leaked the group’s internal chats online, exposing its tactics and processes. But Cirillo said that while researchers say the main group appears to have shut down operations, it is more likely that the leadership is pursuing a more distributed model by partnering with smaller ransomware groups to share expertise and plan attacks.

“Essentially, the Conti brand is allegedly being decommissioned, but their operations are expected to return,” Cirillo said. “Under this model, the smaller ransomware groups gain countless experienced operators while Conti gains mobility and greater evasion of law enforcement by splitting into smaller cells.”