The governments of the United States and the United Kingdom have levied sanctions against seven Russian nationals for their role in the Trickbot cybercrime gang.
Both countries said the sanctions are part of a coordinated crackdown against the ransomware ecosystem.
The Trickbot gang, also known as Wizard Spider, is primarily known for its eponymous Trickbot malware botnet. In the past, Trickbot has rented access to computers infected by its malware to the Ryuk cybercrime group, which deployed its ransomware on corporate or government networks. In addition, Trickbot also developed its own ransomware strains, known as Conti and Diavol, which they also deployed on systems that were previously infected by their botnet.
The UK government said that in the UK alone, 149 organizations paid at least £27 million following attacks with the Conti and Ryuk ransomware strains.
“There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million.”
Over the years, the Trickbot botnet has grown to become one of the largest malware operations to date, and the gang’s sub-group tasked with carrying out ransomware attacks has become one of the most despised ransomware gangs today after repeatedly targeting medical and healthcare facilities and disrupting their operations—even during the COVID-19 pandemic.
“Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
The US and UK sanctions announcements also include the first formal statement linking the Trickbot gang with the Russian government. Both the US and UK governments say that members of the Trickbot gang are also associated and maintain links to Russian intelligence services, “from whom they have likely received tasking.”
With Trickbot’s inclusion on the sanctioned entities list, US and UK companies are now forbidden from paying ransoms to the group, and financial entities are mandated to freeze any of the group’s assets.
Sanctions have proven very successful against ransomware gangs in the past, with the sanctions imposed against EvilCorp in 2019 effectively destroying their ransomware operation (Bitpaymer, Hades, WastedLocker) and making the group and its members pariahs in the cybercrime underground.
The seven sanctioned Trickbot members are:
- Vitaly Kovalev was a senior figure within the Trickbot group. Vitaly Kovalev is also known by the online monikers “Bentley” and “Ben.”
- Maksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also known by the online moniker “Baget.”
- Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known by the online moniker “Globus.”
- Mikhail Iskritskiy has worked on money laundering and fraud projects for the Trickbot group. Mikhail Iskritskiy is also known by the online moniker “Tropa.”
- Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known by the online moniker “Iseldor.”
- Ivan Vakhromeyev has worked for the Trickbot group as a manager. Ivan Vakhromeyev is also known by the online moniker “Mushroom.”
- Valery Sedletski has worked as an administrator for the Trickbot group, including managing servers. Valery Sedletski is also known by the online moniker “Strix.”
The US Justice Department has also charged Trickbot’s Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts that occurred in 2009 and 2010 and predated his involvement in the Trickbot gang.