US and UK authorities have sanctioned seven Russians who are believed to be involved in the activities of the TrickBot hack group, whose malware was used to support the Conti and Ryuk ransomware attacks.
Let me remind you that the TrickBot hack group (aka ITG23, Gold Blackburn and Wizard Spider) is considered to be a financially motivated group, which is known mainly due to the development of the TrickBot banking Trojan of the same name.
Over the years, TrickBot has evolved from a classic banker designed to steal funds from bank accounts to a multifunctional dropper that spreads other threats (from miners and ransomware to infostealers). Last year, TrickBot was completely taken over by Conti malware operators, who used the group’s malware to support their own ransomware attacks.
The US and UK authorities have now announced that the countries are imposing sanctions on seven people they believe were involved in TrickBot malware distribution operations.
“Today, the United States, in conjunction with the UK, is designating seven individuals who are part of the Russia-based cybercriminal group Trickbot,” the US Treasury Department said in a statement.
The British authorities, in turn, write that “the attackers are responsible for 149 attacks on individuals and businesses in the UK, receiving ransoms of at least 27 million pounds.”
“104 victims of the Conti ransomware from the UK paid [the attackers] about £10 million, and 45 victims of the Ryuk ransomware paid about £17 million,” law enforcement officials calculated.
It is reported that the sanctions aimed at curbing “Russian cybercrime activity” and ransomware were the result of a partnership between the Office of Foreign Assets Control of the US Treasury, the UK Department of Foreign Affairs and International Development, the National Agency UK Crime Commission and the British Treasury.
The sanctions are imposed after a large-scale leak of internal chats and personal information of Conti and TrickBot members, which occurred as part of the so-called ContiLeaks and TrickLeaks incidents.
While Conti’s data breach was mostly focused on internal conversations and the hack group’s source code, Trickbot’s was even worse, with personal details, online accounts, and personal information about TrickBot members exposed on Twitter.
Ultimately, these “drains” led to the fact that Conti stopped its activities and broke up into several other groups.
The sanctions now imposed should result in the blocking of all property and funds belonging to the following individuals in the US and UK. Also, individuals and companies are now prohibited from making transactions with these individuals, including the payment of ransoms.
Vitaly Kovalev is considered one of the leaders of Trickbot. Known online under the nicknames Bentley and Ben. The U.S. District Court for the District of New Jersey released an indictment accusing Kovalev of conspiracy to commit bank fraud and bank fraud. This is due to a series of bank account hacks at various US financial institutions that took place in 2009 and 2010, before Dyre or Trickbot.
considered one of the leaders of Trickbot. Known online under the nicknames Bentley and Ben. The U.S. District Court for the District of New Jersey released an indictment accusing Kovalev of conspiracy to commit bank fraud and bank fraud. This is due to a series of bank account hacks at various US financial institutions that took place in 2009 and 2010, before Dyre or Trickbot. Maxim Mikhailov was allegedly involved in development at Trickbot. Known online as Baget.
allegedly did development work at Trickbot. Known online as Baget. Valentin Karyagin, according to the authorities, participated in the development of ransomware and other other malicious projects. The network is known under the nickname Globus.
according to the authorities, participated in the development of ransomware and other malicious projects. The network is known under the nickname Globus. Mikhail Iskritsky allegedly worked for Trickbot on money laundering and fraud projects. The network is known under the nickname Tropa.
allegedly worked for Trickbot on money laundering and fraud projects. The network is known under the nickname Tropa. Dmitry Pleshevsky allegedly worked on injecting malicious code into websites to steal victims’ credentials. Known online as Iseldor.
allegedly worked to inject malicious code into websites to steal victims’ credentials. Known online as Iseldor. Ivan Vakhromeev is considered the manager of the Trickbot group. Known online as Mushroom.
is considered the manager of the Trickbot faction. Known online as Mushroom. Valery Sedletsky was allegedly an administrator at Trickbot, including managing servers. The network is known under the nickname Strix.
The cybersecurity researchers believe that after the “shut down” of Conti, these people probably moved to other hack groups, that is, the sanctions imposed may make it much more difficult to pay ransoms to other extortionists who were previously associated with Conti. This list includes BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom and DagonLocker.