U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

In a first-of-its-kind coordinated action, the U.K. and U.S.
governments on Thursday levied sanctions against seven Russian
nationals for their affiliation to the TrickBot, Ryuk, and Conti
cybercrime operation.

The individuals designated^[1]
under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or
Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka
Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka
Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski
(aka Strix).

“Current members of the TrickBot group are associated with
Russian Intelligence Services,” the U.S. Treasury Department
noted^[2]. “The TrickBot group’s
preparations in 2020 aligned them to Russian state objectives and
targeting previously conducted by Russian Intelligence
Services.”

TrickBot, which is attributed to a threat actor named ITG23,
Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative
of the Dyre banking trojan and evolved into a highly modular malware framework^[3] capable of distributing
additional payloads. The group most recently shifted focus to
attack Ukraine^[4].

The infamous malware-as-a-service (MaaS) platform, up until its
formal closure^[5]
early last year, served as a prominent vehicle for countless Ryuk
and Conti ransomware attacks, with the latter eventually taking over control^[6]
of the TrickBot criminal enterprise prior to its own shutdown in
mid-2022.

Over the years, Wizard Spider has expanded its custom tooling
with a set of sophisticated malware such as Diavol^[7], BazarBackdoor^[8], Anchor^[9], and BumbleBee^[10], while simultaneously
targeting multiple countries and industries, including academia,
energy, financial services, and governments.

“While Wizard Spider’s operations have significantly reduced
following the demise of Conti in June 2022, these sanctions will
likely cause disruption to the adversary’s operations while they
look for ways to circumvent the sanctions,” Adam Meyers, head of
intelligence at CrowdStrike, said in a statement.

“Often, when cybercriminal groups are disrupted, they will go
dark for a time only to rebrand under a new name.”

Per the Treasury Department, the sanctioned persons are said to
be involved in the development of ransomware and other malware
projects as well as money laundering and injecting malicious code
into websites to steal victims’ credentials.

Kovalev has also been charged with conspiracy to commit bank fraud^[11] in connection with a
series of intrusions into victim bank accounts held at U.S.-based
financial institutions with the goal of transferring those funds to
other accounts under their control.

The attacks, which occurred in 2009 and 2010 and predate
Kovalev’s tryst with Dyre and TrickBot, are said to have led to
unauthorized transfers amounting to nearly $1 million, out of which
at least $720,000 was transferred overseas.

What’s more, Kovalev is also said to have worked closely on
Gameover ZeuS^[12], a peer-to-peer botnet
that was temporarily dismantled in 2014. Vyacheslav Igorevich
Penchukov, one of the operators of the Zeus malware, was arrested^[13] by Swiss authorities in
November 2022.

U.K. intelligence officials further assessed^[14] that the organized
crime group has “extensive links” to another Russia-based outfit
known as Evil Corp^[15], which was also
sanctioned by the U.S. in December 2019.

The announcement is the latest salvo in an ongoing battle to
disrupt ransomware gangs and the broader crimeware ecosystem, and
comes close on the heels of the takedown of Hive infrastructure^[16] last month.

The efforts are also complicated as Russia has long offered^[17] a safe haven^[18] for criminal groups^[19], enabling them to carry
out attacks without facing any repercussions as long as the
assaults don’t single out domestic targets or its allies.

The sanctions “give law enforcement and financial institutions
the mandates and mechanisms needed to seize assets and cause
financial disruption to the designated individuals while avoiding
criminalizing and re-victimising the victim by placing them in the
impossible position of choosing between paying a ransom to recover
their business or violating sanctions,” Don Smith, vice president
of threat research at Secureworks, said

According to data from NCC Group, ransomware attacks witnessed a
5% decline in 2022, dropping from 2,667 the previous year to 2,531,
even as victims are increasingly^[20] refusing to pay up^[21], leading to a slump in
illicit revenues.

“This decline in attack volume and value is probably in part due
to an increasingly hardline, collaborative response from
governments and law enforcement, and of course the global impact of
the war in Ukraine,” Matt Hull, global head of threat intelligence
at NCC Group, said^[22].

Despite the dip, ransomware actors are also turning out to be
“effective innovators” who are “willing to find any opportunity and
technique to extort money from their victims with data leaks and
DDoS being added to their arsenal to mask more sophisticated
attacks,” the company added.