In a joint action by the US and the UK law enforcement agencies, sanctions were imposed on seven known Russian cyber criminals connected to a Russia-aligned single network behind the Conti and Ryuk ransomware gangs as well as the Trickbot banking trojan.
In total, sanctions were imposed on fifteen individuals and five firms till now as part of the joint action by the Office of Foreign Assets Control, U.S. Department of the Treasury and the Office of Financial Sanctions Implementation, HM Treasury, UK.
The sanctions mean the individuals have their assets frozen and face travel bans.
“The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime,” Under Secretary Brian E. Nelson said in a US Treasury statement.
Trickbot, which was once considered one of the internet’s most dangerous security threats, It has the capability to steal financial information, spread itself through networks, and install ransomware.
“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies,” said UK National Crime Agency Director-General Graeme Biggar in the government’s official announcement of the move.
Accused Russian cybercriminals
The current members of the Trickbot Group are believed to be connected to Russian Intelligence Services, according to the US Treasury statement.
They aligned their activities in 2020 with the objectives and targeting practices of the Russian state. This involved targeting the U.S. government and American businesses.
As per the detailed statement from the UK government, the joint operation has till now listed a total of 13 Russian nationals and two Chinese individuals and five organisations for government sanctions.
The seven individuals added to the list are:
Vitaliy Kovalev, aka Bentley
Valentin Karyagin, aka Globus
Mikhail Isktritskiy, aka Tropa
Dmitry Pleshevskiy, aka Iseldor
Maksim Michailov, aka Baget
Ivan Vakhromeyev, aka Ivanalert/Mushroom
Valery Sedletski, aka Strix
According to the US Treasury statement, all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to the Office of Foreign Assets Control, U.S. Department of the Treasury.
Anybody or any foreign financial institution dealing with these individuals in the US could face government action, including penalty and imprisonment. Coincidentally, ransom payments too can be considered such a financial transaction.
“Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions,” said the UK government statement.
“Organisations should have or should put in place robust cyber security and incident management systems in place to prevent and manage serious cyber incidents.”
Russian cybercriminals and damage inflicted
The groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been implicated in the creation and distribution of several malware, including Trickbot, Anchor, BazarLoader, BazarBackdoor, and the ransomware strains Conti and Diavol.
Additionally, they are believed to be involved in the deployment of Ryuk ransomware, according to the UK government statement.
“The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for extricating at least an estimated £27 million,” the statement said.
“There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million.”
Conti was notorious for its attacks on hospitals, schools, businesses, and government entities, including the Scottish Environment Protection Agency. According to Chainalysis, the group behind Conti alone extorted $180 million in ransomware in 2021.
The group responsible for Conti was one of the first cybercrime organizations to express support for Russia’s war in Ukraine, publicly endorsing the Kremlin’s actions within 24 hours of the invasion.
Despite the disbandment of the group responsible for Conti in May 2022, reports suggest that some of its members continue to be involved in new, prominent ransomware strains that pose a threat to UK security.
Risk of Russian cyber attacks continue
According to the National Cyber Security Centre (NCSC), UK, it is nearly certain that the Conti group’s primary motivation was financial gain, and that they selected their targets based on the estimated ransom they could extract from them.
Group members are almost certainly linked to Russian Intelligence Services and are likely to have received directives from them.
The targeting of specific organizations, such as the International Olympic Committee, by the group is almost certainly in line with Russian state objectives, said the UK government statement.
It is highly probable that the Conti group originated from prior cybercrime organizations and has extensive connections to other cyber criminals, including EvilCorp and those responsible for Ryuk ransomware, it added.