The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations.

The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

After numerous takedown attempts by the U.S. government, the Conti ransomware gang took control of the TrickBot operation and its development, using it to enhance more advanced and stealthy malware, such as BazarBackdoor and Anchor.

However, after Russia invaded Ukraine, a Ukrainian researcher leaked Conti ransomware gang’s internal communications in what is known as the Conti Leaks.

Soon after, another unknown individual, under the moniker TrickLeaks, started to leak information about the TrickBot operation, further illustrating the ties between the two groups.

Ultimately, these leaks led to the shutdown of the Conti ransomware operation, which has now splintered into numerous other ransomware operations, such as Royal, Black Basta, and ZEON.

Conti and TrickBot members sanctioned

Today, eleven members of the TrickBot and Conti operation were sanctioned by the U.S. and United Kingdom governments for cybercrime activities that led to the theft of $180 million worldwide.

“The NCA assesses that the group was responsible for extorting at least $180m from victims globally, and at least £27m from 149 UK victims. The attackers sought to target U.K. hospitals, schools, local authorities and businesses,” reads an announcement from the U.K.’s National Crime Agency.

The U.S. Department of Treasury also announced the sanctions today, warning that some Trickbot group members are associated with Russian intelligence services and their activities aligned with the country’s interests.

“Today’s targets include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals,” announced the U.S. Department of Treasury. 

“During the COVID-19 pandemic, the Trickbot group targeted many critical infrastructure and health care providers in the United States.”

These announcements coincide with the unsealing of indictments against nine individuals in connection with the Trickbot malware and Conti ransomware operations, which will likely be announced later today.

Below are the eleven individuals sanctioned by the U.K. and USA, all believed to be Russian nationals.

These sanctions are in addition to the seven TrickBot/Conti members sanctioned in February.

As part of these sanctions, all United Kingdom and USA organizations are prohibited from conducting financial transactions with these individuals, including paying ransom demands.

With many of the Conti ransomware members now involved in other ransomware operations, this will create a slippery slope for organizations and ransomware negotiation firms, who can no longer make ransom payments without facing the risks associated with violating OFAC regulations.

In the past, sanctions have led to the downfall, or at least rebranding, of ransomware operations after negotiation firms refused to make payments to sanctioned gangs.

The US has previously sanctioned numerous individuals for their involvement in ransomware operations, including CryptoLocker, SamSam, WannaCry, Evil Corp, REvil, and BlackShadow/Pay2Key.