In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix).
“Current members of the TrickBot group are associated with Russian Intelligence Services,” the U.S. Treasury Department noted. “The TrickBot group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services.”
TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a highly modular malware framework capable of distributing additional payloads. The group most recently shifted focus to attack Ukraine.
The infamous malware-as-a-service (MaaS) platform, up until its formal closure early last year, served as a prominent vehicle for countless Ryuk and Conti ransomware attacks, with the latter eventually taking over control of the TrickBot criminal enterprise prior to its own shutdown in mid-2022.
Over the years, Wizard Spider has expanded its custom tooling with a set of sophisticated malware such as Diavol, BazarBackdoor, Anchor, and BumbleBee, while simultaneously targeting multiple countries and industries, including academia, energy, financial services, and governments.
“While Wizard Spider’s operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary’s operations while they look for ways to circumvent the sanctions,” Adam Meyers, head of intelligence at CrowdStrike, said in a statement.
“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name.”
Per the Treasury Department, the sanctioned persons are said to be involved in the development of ransomware and other malware projects as well as money laundering and injecting malicious code into websites to steal victims’ credentials.
Kovalev has also been charged with conspiracy to commit bank fraud in connection with a series of intrusions into victim bank accounts held at U.S.-based financial institutions with the goal of transferring those funds to other accounts under their control.
The attacks, which occurred in 2009 and 2010 and predate Kovalev’s tryst with Dyre and TrickBot, are said to have led to unauthorized transfers amounting to nearly $1 million, out of which at least $720,000 was transferred overseas.
What’s more, Kovalev is also said to have worked closely on Gameover ZeuS, a peer-to-peer botnet that was temporarily dismantled in 2014. Vyacheslav Igorevich Penchukov, one of the operators of the Zeus malware, was arrested by Swiss authorities in November 2022.
U.K. intelligence officials further assessed that the organized crime group has “extensive links” to another Russia-based outfit known as Evil Corp, which was also sanctioned by the U.S. in December 2019.
The announcement is the latest salvo in an ongoing battle to disrupt ransomware gangs and the broader crimeware ecosystem, and comes close on the heels of the takedown of Hive infrastructure last month.
The efforts are also complicated as Russia has long offered a safe haven for criminal groups, enabling them to carry out attacks without facing any repercussions as long as the assaults don’t single out domestic targets or its allies.
The sanctions “give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions,” Don Smith, vice president of threat research at Secureworks, said
According to data from NCC Group, ransomware attacks witnessed a 5% decline in 2022, dropping from 2,667 the previous year to 2,531, even as victims are increasingly refusing to pay up, leading to a slump in illicit revenues.
“This decline in attack volume and value is probably in part due to an increasingly hardline, collaborative response from governments and law enforcement, and of course the global impact of the war in Ukraine,” Matt Hull, global head of threat intelligence at NCC Group, said.
Despite the dip, ransomware actors are also turning out to be “effective innovators” who are “willing to find any opportunity and technique to extort money from their victims with data leaks and DDoS being added to their arsenal to mask more sophisticated attacks,” the company added.