The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation.
TrickBot is a cybercrime gang responsible for developing numerous malware families, such as the eponymous TrickBot malware, BazarBackdoor, Anchor, and BumbleBee.
The TrickBot malware started as a banking trojan distributed via phishing emails to steal online bank accounts. It later evolved into malware designed to provide initial access to corporate networks for the Ryuk/Conti ransomware operation.
As the malware became widely detected by security software, the developers launched new malware families, such as BazarBackdoor, Anchor, and BumbleBee, to provide more stealthy infection of targets.
The TrickBot group was later taken over by the Conti ransomware gang, who took charge of developing the group's malware to support their own ransomware attacks.
The malware gang has facilitated or conducted numerous high-profile ransomware attacks, including the attack on Ireland's Health Service Executive, widespread attacks on U.S. hospitals, and the Government of Costa Rica.
The United Kingdom states that the threat actors were responsible for 149 attacks on U.K. individuals and businesses, receiving ransom payments of at least £27 million.
"The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for extricating at least an estimated £27 million," says the United Kingdom's announcement on the sanctions.
"There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million."
Seven Russian individuals sanctioned
Today, the United States and the United Kingdom have sanctioned seven individuals for their involvement in the TrickBot malware operation.
"Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot," read an announcement by the U.S. Department of the Treasury.
"This action represents the very first sanctions of their kind for the U.K., and result from a collaborative partnership between the U.S. Department of the Treasury's Office of Foreign Assets Control and the U.K.'s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty's Treasury to disrupt Russian cybercrime and ransomware."
The sanctions come after a massive trove of internal conversations, and personal information was leaked from Conti and TrickBot members in what was called the ContiLeaks and TrickLeaks.
While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went one step further, with the identities, online accounts, and personal information of TrickBot members publicly leaked on Twitter.
These data breaches ultimately led to the Conti gang shutting down their operation and their members starting new ransomware operations or joining existing ones.
As a result of these sanctions, all property and funds in the United States and the United Kingdom belonging to the following individuals have been blocked.
Vitaly Kovalev was a senior figure within the Trickbot Group. Vitaly Kovalev is also known as the online monikers “Bentley” and “Ben”. Today, an indictment was unsealed in the U.S. District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various U.S.-based financial institutions that occurred in 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.
Maksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also known as the online moniker “Baget”.
Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known as the online moniker “Globus”.
Mikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy is also known as the online moniker “Tropa”.
Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known as the online moniker “Iseldor”.
Ivan Vakhromeyev has worked for the Trickbot Group as a manager. Ivan Vakhromeyev is also known as the online moniker “Mushroom”.
Valery Sedletski has worked as an administrator for the Trickbot Group, including managing servers. Valery Sedletski is also known as the online moniker “Strix”.
Furthermore, individuals and companies are blocked from performing transactions with the individuals, including paying ransoms.
As these individuals likely moved on to other ransomware operations after the Conti operation shut down, this action could also significantly hamper the payment of ransoms to other ransomware gangs known to have members previously affiliated with Conti.
This includes BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom, and DagonLocker.
"In addition, persons that engage in certain transactions with the individuals designated today may themselves be exposed to designation," warns the Department of Treasury.
"Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions."
Comments
NoneRain - 1 year ago
News like these never fail to put a smile on my face.
One thing govs. should start considering, is to take this kind of sanction on all ransom payments. If they can't receive money, the value of attacks would decrease.
Yeah, they probably would sell the data, but, most of them sell it anyway.
I say ransom attacks would drop significantly in no time. It's harder to sell than to ransom.
asdfadsf - 1 year ago
<p>Technically it already is illegal to pay the ransom since these are deemed terrorist groups. In many cases in recent years, they've gone after backups, too -- successfully. I was involved in a large organization's recovery in which a group deleted all the backups. The FBI told the business it was illegal to pay, but that the business had to do what they had to do, and the FBI was fine with it. In some cases, it's literally pay the ransom or go out of business.</p>
tverweij - 1 year ago
It is nice that they (govs) do this, but the fact remains that in at least 90% of all ransomware infections the breach was made because patches were not applied.
Further, on almost all systems I see, even clients, powershell scripting is enabled, scripting host is enabled and (worst) macros are enabled on MS Office. And almost all ransomware variants need at least one of them to install - and for the users those functionality is almost never needed.
And, of cause, the use of administrative accounts. For users. And for the system administrators, even when they do things that do not need those rights.
As long as this continues, the ransomware gangs will make big bucks.
I say to the governments and companies: Hold the system administrators accountable when patches were not installed, when scripting engines are enabled when they are not needed and when users are in the possession of administrative rights.
h_b_s - 1 year ago
Doesn't help that Microsoft patches are now being issued cumulatively and routinely breaking necessary services due to lack of robust testing. Also doesn't help that some important MS security "patches" aren't actually patching the cause of the problem, instead all they're doing is patching away the symptoms. They're putting band-aids on gaping wounds. It's a Catch-22 for admins. Damned by attackers in minutes, or potentially break vital services your employer depends on every day? No, switching to Linux is not an option, and neither are Macs in most cases.
tverweij - 1 year ago
Agreed, but I use security above functionality.
Patch as soon as it is available - only uninstall when that leads to a blue screen / software crash - but only on the machines where it causes a blue screen or software crash, all other machines keep the patch - when this happens is mostly only one or two machines with the problem.
In all other cases: investigate and find a work around.
If a work around is not possible and the functionality is really, really needed: uninstall the patch. Again, only on the machine(s) that suffer from that patch. Keep as much machines as possible on the latest patch level.
For the cases that I have to uninstall: I keep watching bleeping computer and Microsoft or other suppliers to see if a work around is shared. If so, I implement that and install the patch directly after that.
And the next patch-round: everything is patched again, repeating the story. In a lot of cases where there were problems with a patch, the next month that problem is gone, even when there was no communication about it from Microsoft or other supplier.
And yes, the users sometimes suffer from that.
But it is better than the alternative: damned by attackers in minutes.
horsedoggs - 1 year ago
I tend to lean on
Patching with hyper v check points
Cloud managed Av EDR solutions such as emsi soft which even the domain admin can’t disable
MFA for all user remote access including vpn and rd gateway
Noting unnecessary is publicly exposed.
Mfa cloud managed monitored backup for on prem nas with Cloud replication, (backups cannot be deleted by domain admin)
I’m still paranoid but that’s the game we play.