Seven cybercriminals belonging to notorious malware empire TrickBot have been hit with sanctions by the US and the UK in a coordinated anti-cybercrime campaign. The operation also targets Ransomware-as-a-Service gangs including Conti and Ryuk, which are said to have extorted £27m from 149 UK companies.
The National Crime Agency (NCA) has sanctioned seven Russian nationals who are accused of being members of TrickBot. The campaign was led by the NCA, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the UK’s Foreign Commonwealth and Development Office (FCDO), and officials from the Treasury, with the aim of disrupting Russian hackers.
Seven TrickBot members sanctioned by the NCA
The NCA says the campaign is ongoing and will continue to pursue all investigative lines of enquiry to disrupt the ransomware threat to the UK in collaboration with its international partners.
It has targeted TrickBot, as well as notorious ransomware gangs Conti, Ryuk and Wizard Spider, also known as Darkside, the gang who implemented the now famous attack on the US Colonial Pipeline, which led to US President Joe Biden delaring a state of national emergency.
Conti and Ryuk have been actively targeting UK organisations, infiltrating 149 businesses to rob them of a combined £27m, the NCA said. The groups were responsible for attacks on schools, businesses and local authorities, and globally Conti is said to have stolen $180m in 2021 alone.
TrickBot originated as a banking trojan, but is not considered to be a modular malware enterprise, associated with follow-on ransomware infections. But its empire now includes numerous plug-in modules, crypto-mining and persistence capabilities. In 2020 the US cyber command acted to blunt TrickBot’s reach in a bid to protect the US election infrastructure, according to a report by the Centre for International Security.
The names of the criminals affected by the sanctions are Vitaliy Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevsky, Mikhail Iskritskiy and Ivan Vakhromeyev. They will be stopped from accessing financial services around the world.
The sanctions are “the first of their kind for the UK” according to Graeme Biggar, director general of the National Crime Agency. “They signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies,” Biggar said. “They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public,” he said.
Security Minister Tom Tugendhat added: “We’re targeting cyber criminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, hurt many and disrupted lives, at great expense to the taxpayer.
“Cyber crime knows no boundaries and threatens our national security. These sanctions identify and expose those responsible.”