The US and UK governments announced joint sanctions against seven Russian cyber-criminals on 9 February.
The individuals are members of the notorious Trickbot malware gang, which the US and UK accuse of launching malicious cyber activities against critical infrastructure in both countries, including hospitals.
The sanctioned Russians were named as: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev and Valery Sedletski.
The sanctions mean that these cyber threat actors have had all their US and UK assets frozen and are banned from travelling to the two countries.
The US Department of Treasury also warned that any individuals or financial institutions that engages in transactions with the sanctioned Russian nationals “may themselves be exposed to designation.”
The department’s statement highlighted Trickbot’s association with Russian Intelligence Services, and claimed they are aligned to Russian state objectives, particularly since 2020.
Trickbot was first identified in 2016, starting life as a banking Trojan, but since evolving into a highly modular malware suite that gives the group the ability to conduct a range of cyber activities, including ransomware attacks.
Both the US and UK governments highlighted the gang’s involvement in developing ransomware strains targeting critical services as the principal reason for the coordinated designation.
In one example given, the US government said the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. It noted: “Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
The new sanctions are part of wider efforts to disrupt ransomware gangs among law enforcement and governments. In January 2023, a coordinated action between the FBI and Europol led to the Hive ransomware group’s infrastructure being taken down.
Brian E. Nelson, under secretary for terrorism and financial intelligence, commented: “Cyber-criminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses and exploit the international financial system.
“The US is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime,” Nelson said.
UK foreign secretary James Cleverly added: “By sanctioning these cyber-criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.
“These cynical cyber-attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organized crime – whatever its form and wherever it originates.”
Commenting on the story, Don Smith, vice president of research at Secureworks, discussed the significance of the sanctions in assisting law enforcement to disrupt Trickbot’s activities. He noted that the designations “give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions.”
Smith added: “These sanctions represent positive, coordinated steps in the global fight against ransomware.”
Raj Samani, SVP chief scientist at Rapid7, said the announcement will hopefully send a strong message to other cyber-criminals that their activities are not going unnoticed. “The impression that cybercrime is a risk free endeavour will be shattered with the news this morning that seven individuals have been sanctioned by the UK government.
In the statement relating to the sanctions, the UK government emphasized the scale of the damage caused by ransomware to the UK economy. It said 149 UK individuals and businesses have been affected by the Conti and Ryuk ransomware strains alone, extricating an estimated £27m ($33m) in extortion payments.
The Russian-based Conti gang announced in May 2022 that it had stopped operations. This followed the group's internal documentation and internal chat logs being leaked by a Ukrainian researcher just days after coming out in support for Russia's invasion of Ukraine. However, former Conti actors are believed to be remaining active in the cybercrime underworld.