Eleven members of the Russian ransomware group Conti have been exposed in a joint operation by law enforcement agencies in the UK and the US. The gang is believed to have extorted £27m from 149 UK-based victims as part of a crime spree spanning several years.
Investigations by the UK’s National Crime Agency (NCA) and the FBI identified that the men, all Russian nationals, were influential members of the group, working as developers, administrators who facilitated payments from ransom funds, and managers who recruited new members from cybercrime forums.
The US Department of Justice has also unsealed indictments against nine individuals in connection with the Trickbot malware conspiracy, including seven of the individuals named as Conti members today. Trickbot is another Russian ransomware gang thought to have been taken over by Conti, which later used the group’s malware as part of its attacks.
UK and US target cybercriminals behind Conti and Trickbot
Sanctions have been placed on 11 men suspected of being part of Conti and Trickbot. They are Andrey Zhuykov – described as the group’s “central actor” – Maksim Galochkin, Maksim Rudenskiy, Mikhail Tsarev, Dmitry Putilin, Maksim Khaliullin, Sergey Loguntsov, Vadym Valiakhmetov, Artem Kurov, Mikhail Chernov and Alexander Mozhaev.
The sanctions have been brought by the FCDO and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), and mean those named can have assets seized by the UK and US governments, and are banned from making financial transactions. Any businesses and individuals that facilitate such transactions could themselves be sanctioned. They are also banned from travelling.
Today’s news follows sanctions issued to seven other members of the group in February
Rob Jones, NCA director general of operations, said: “These sanctions are a continuation of our campaign against international cyber criminals.
“Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
“These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.”
Foreign Secretary James Cleverly said the criminals “thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims”. Cleverly added: “Our sanctions show they cannot act with impunity. We know who they are and what they are doing.
“By exposing their identities, we are dismantling their business models, making it harder for them to target our people, our businesses and our institutions.”
Conti’s campaign of chaos coming to an end?
The NCA assesses that Conti and Trickbot were responsible for extorting at least £27m from 149 UK victims. Research by Chainalysis suggests they have attempted to extort more than $800m from victims including hospitals, schools, local authorities and businesses.
Internationally, its biggest victim was the nation of Costa Rica, which saw multiple public services shut down for weeks after the gang successfully attacked government servers last year. Conti reportedly disbanded following the attack, though security researchers were sceptical about this.
As reported by Tech Monitor, last week the NCA supported the FBI and DoJ in the takedown of Qakbot botnet, used by Conti and other gangs like REvil and Black Basta in ransomware attacks.
Lindy Cameron, CEO of the UK’s National Cyber Security Centre, said: “Alongside this latest round of sanctions, I strongly encourage organisations to proactively obstruct the activities of ransomware operatives by bolstering their online resilience.”
She added: “Ransomware continues to be a significant threat facing the UK and attacks can have significant and far-reaching impact.”