In a first-of-its-kind coordinated action, authorities in the United States and the United Kingdom have sanctioned seven individuals allegedly behind the infamous Russia-based cybercrime gang Trickbot.
The action, which marks the first time that British officials have issued sanctions against suspected ransomware operators, saw the U.S. Treasury and the U.K. Foreign Office levy sanctions against the Russian hackers allegedly connected to a single network behind the Conti and Ryuk ransomware variants, as well as the infamous Trickbot banking trojan. This also marks the first time authorities have linked Conti, Ryuk and Trickbot to a single criminal organization.
U.K. authorities also assess that the individuals have links to the Russia-based cybercriminal group known as Evil Corp, which was also sanctioned by U.S. Treasury in December 2019.
The latest sanctions mean the seven individuals — named as Vitaly Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev — had their assets frozen, travel bans imposed and are barred from transacting with U.S. organizations. That also bars Americans from paying any ransom to the sanctioned entities. U.S. authorities have also charged Kovalev, described as a senior figure within Trickbot who is known online as “Bentley” and “Ben,” with conspiracy to commit bank fraud and eight counts of bank fraud.
As the seven individuals are all based in Russia, which does not extradite its citizens, arrests by U.S. or U.K. law enforcement are unlikely.
The U.K. National Crime Agency says the group was responsible for extorting at least £27 million ($33 million) from 149 U.K. victims, including hospitals, schools, businesses and local authorities. In its announcement, the Treasury noted that Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the U.S. during the height of the COVID-19 pandemic. Trickbot was also linked to the September ransomware attack on the Los Angeles Unified school District, or LAUSD, the second-largest district in the United States.
In a recent announcement, the U.S. government said that Conti — which rebranded from Ryuk in 2020 — had carried out more than 1,000 ransomware operations targeting U.S. and international critical infrastructure, including law enforcement agencies, emergency medical services and 911 dispatch centers. Most recently, the gang infiltrated 27 government institutions in Costa Rica and demanded a $20 million ransom.
The Treasury on Thursday also said that current members of the Trickbot are associated with Russian intelligence. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services,” it said. “This included targeting the U.S. government and U.S. companies.”
The U.K. National Cyber Security Centre, part of GCHQ, also assessed that it is “highly likely” that key members maintain links to Russian intelligence services. “The targeting of certain organizations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives,” it said.
This latest takedown comes just weeks after law enforcement agencies in the U.S. and Europe announced that they had seized the infrastructure behind Hive, one of the most prolific ransomware operations. Hive is responsible for attacks on Costa Rica’s public health service and New York-based emergency response and ambulance service provider Empress EMS.