U.S. and U.K. sanction TrickBot and Conti ransomware operation members

The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation.

TrickBot is a cybercrime gang responsible for developing numerous malware families, such as the eponymous TrickBot malware, BazarBackdoor, Anchor, and BumbleBee. 

The TrickBot malware started as a banking trojan distributed via phishing emails to steal online bank accounts. It later evolved into malware designed to provide initial access to corporate networks for the Ryuk/Conti ransomware operation.

As the malware became widely detected by security software, the developers launched new malware families, such as BazarBackdoor, Anchor, and BumbleBee, to provide more stealthy infection of targets.

The TrickBot group was later taken over by the Conti ransomware gang, who took charge of developing the group's malware to support their own ransomware attacks.

The malware gang has facilitated or conducted numerous high-profile ransomware attacks, including the attack on Ireland's Health Service Executive, widespread attacks on U.S. hospitals, and the Government of Costa Rica.

The United Kingdom states that the threat actors were responsible for 149 attacks on U.K. individuals and businesses, receiving ransom payments of at least £27 million.

"The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for extricating at least an estimated £27 million," says the United Kingdom's announcement on the sanctions.

"There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million."

Seven Russian individuals sanctioned

Today, the United States and the United Kingdom have sanctioned seven individuals for their involvement in the TrickBot malware operation.

"Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot," read an announcement by the U.S. Department of the Treasury.

"This action represents the very first sanctions of their kind for the U.K., and result from a collaborative partnership between the U.S. Department of the Treasury's Office of Foreign Assets Control and the U.K.'s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty's Treasury to disrupt Russian cybercrime and ransomware."

The sanctions come after a massive trove of internal conversations, and personal information was leaked from Conti and TrickBot members in what was called the ContiLeaks and TrickLeaks.

While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went one step further, with the identities, online accounts, and personal information of TrickBot members publicly leaked on Twitter.

These data breaches ultimately led to the Conti gang shutting down their operation and their members starting new ransomware operations or joining existing ones.

As a result of these sanctions, all property and funds in the United States and the United Kingdom belonging to the following individuals have been blocked.

Vitaly Kovalev was a senior figure within the Trickbot Group. Vitaly Kovalev is also known as the online monikers “Bentley” and “Ben”. Today, an indictment was unsealed in the U.S. District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various U.S.-based financial institutions that occurred in 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.

Maksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also known as the online moniker “Baget”.

Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known as the online moniker “Globus”.

Mikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy is also known as the online moniker “Tropa”.

Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known as the online moniker “Iseldor”.

Ivan Vakhromeyev has worked for the Trickbot Group as a manager. Ivan Vakhromeyev is also known as the online moniker “Mushroom”.

Valery Sedletski has worked as an administrator for the Trickbot Group, including managing servers. Valery Sedletski is also known as the online moniker “Strix”.

Furthermore, individuals and companies are blocked from performing transactions with the individuals, including paying ransoms.

As these individuals likely moved on to other ransomware operations after the Conti operation shut down, this action could also significantly hamper the payment of ransoms to other ransomware gangs known to have members previously affiliated with Conti.

This includes BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom, and DagonLocker.

"In addition, persons that engage in certain transactions with the individuals designated today may themselves be exposed to designation," warns the Department of Treasury.

"Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions."