The US and UK have sanctioned seven Russians for their involvement in the cybercrime group TrickBot, whose malware was used to support attacks by the Conti and Ryuk ransomware operation.

TrickBot is a gang of cybercriminals responsible for the development of numerous malware families, such as the eponymous malware TrickBot, BazarBackdoor, Anchor and BumbleBee.

The TrickBot malware started out as a banking trojan distributed via phishing emails to steal online bank accounts. It then evolved into malware designed to provide first access to corporate networks for the Ryuk/Conti ransomware operation.

While the malware was widely detected by security software, developers launched new malware families, such as BazaarBackdoor, AnchorAnd Bumblebeeto provide stealthier infection of targets.

The TrickBot group was later taken over by the Conti ransomware gangwho supported the development of the group’s malware to support their own ransomware attacks.

The malware gang facilitated or led many high-profile ransomware attacks, including the attack on Irish Health Services Executive, widespread attacks on US hospitalsand the Government of Costa Rica.

The UK says threat actors were responsible for 149 attacks on UK individuals and businesses, receiving ransom payments of at least £27m.

“The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for mining at least around £27 million,” says the UK announcement on penalties.

“There were 104 UK victims of the Conti strain who paid around £10m and 45 victims of the Ryuk strain who paid around £17m.”

Seven Russian individuals sanctioned

Today, the US and UK sanctioned seven people for their involvement in the TrickBot malware operation.

“Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot,” read an announcement by the US Treasury Department.

“This action represents the first-ever sanctions of its kind for the UK and is the result of a collaborative partnership between the Office of Foreign Assets Control of the US Department of Treasury and the UK Foreign, Commonwealth Office and Development; the National Crime Agency; and Her Majesty’s Treasury to disrupt Russian cybercrime and ransomware.”

The sanctions come after a slew of internal conversations, and personal information was leaked by members of Conti and TrickBot in what has been called the ContiLeaks and TrickLeaks.

While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went further, with the identities, online accounts, and personal information of TrickBot members leaked publicly on Twitter.

These data breaches ultimately led to the The Conti gang closes its doors and their members launching new ransomware operations or joining existing ones.

As a result of these sanctions, all property and funds in the United States and United Kingdom belonging to the following individuals have been blocked.

Vitaly Kovalev was a senior member of the Trickbot group. Vitaly Kovalev is also known by the online nicknames “Bentley” and “Ben”. Today an indictment was dropped in the U.S. District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victims’ bank accounts held at various US-based financial institutions. which happened in 2009 and 2010, before his involvement in Dyre or the band Trickbot.

Maksim Mikhailov has been involved in development activities for the Trickbot group. Maksim Mikhailov is also known as “Baget” online.

Valentin Karyagin has been involved in the development of ransomware and other malicious projects. Valentin Karyagin is also known by the online nickname “Globus”.

Mikhail Iskritsky worked on money laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy is also known by the online nickname “Tropa”.

Dmitry Pleshevsky worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known by the online nickname “Iseldor”.

Ivan Vakhromeev worked for the Trickbot group as a manager. Ivan Vakhromeyev is also known by the online nickname “Mushroom”.

Valery Sedletsky worked as an administrator for the Trickbot group, including server management. Valery Sedletski is also known by the online nickname “Strix”.

Also, individuals and companies cannot conduct transactions with individuals, including paying ransoms.

As these individuals likely moved on to other ransomware operations after Operation Conti was shut down, this action could also significantly hinder ransom payments to other ransomware gangs known to have members previously affiliated with Conti.

This includes BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom, and DagonLocker.

“In addition, individuals who engage in certain transactions with designated individuals today may themselves be at risk of designation,” the Treasury Department warns.

“In addition, any foreign financial institution that knowingly facilitates a material transaction or provides material financial services to any of the persons or entities designated today could be subject to U.S. correspondent or accounts payable sanctions.”