Security news that informs and inspires

U.S., U.K. Governments Sanction Alleged Members of Trickbot Malware Group

The United States and United Kingdom governments have sanctioned seven Russian nationals who they allege are part of the prolific Trickbot cybercrime group, which has been active for nearly a decade and has been associated with Ryuk and Conti ransomware and has targeted hospitals, schools, government agencies, and other sensitive organizations.

The sanctions from the Department of the Treasury’s Office of Foreign Asset Control and the UK’s Foreign, Commonwealth, and Development Office are the result of a joint, ongoing investigation into the Trickbot group’s activities and are the latest move in the U.S. government’s campaign against cybercrime and ransomware groups. OFAC has sanctioned a number of Russian and Chinese individuals associated with cybercrime and APT activity, and last month the Department of Justice arrested the alleged operator of the Bitzlato cryptocurrency exchange, which authorities say was a major hub for laundering ransomware payments.

The individuals sanctioned by the agencies are Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. Also on Thursday, the U.S, indicted Kovalev for bank fraud and conspiracy to commit bank fraud. Treasury officials said Thursday that current members of the Trickbot group are associated with Russian intelligence agencies.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” said Treasury Under Secretary Brian Nelson. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

"We are sending a clear signal to them and others involved in ransomware that they will be held to account."

The Trickbot group, which is also known as Wizard Spider, has been around for about seven years and evolved from an older group that developed and deployed the Dyre trojan. The group is based in Russia and historically has been financially motivated, targeting companies in the U.S., UK, and around the world, with the notable exception of Russia. Though the sanctioned men are all Russians, the ffects of the sanctions could still be tangible for them.

"These are smaller cogs in a larger machine but at the very least it does go to ensuring there are consequences to this sort of activity. It could pose a risk to them or their livelihood even if they don't make the mistake of leaving their country," said Jeremy Kennelly, principal, lead analyst at Mandiant-Google Cloud.

While U.S. agencies have imposed sanctions against cybercrime groups and individuals in the past, this is a first for the UK.

“This is a hugely significant moment for the UK and our collaborative efforts with OFAC to disrupt international cyber criminals,” Graeme Biggar, director general of the UK National Crime Agency, said.

“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.”

As with many cybercrime operations, the Trickbot group has evolved over time and has been affiliated with a number of other organizations, most notoriously the Conti ransomware group. Conti was among the more audacious and damaging ransomware crews on the board before it shut down operations in mid-2022 after intense investigations from law enforcement and security researchers. Trickbot also is often associated with the Emotet malware and has been known to deliver the Ryuk ransomware and BazarLoader malware, as well.

"It’s complicated but it is in large part a number of closely affilliated groups with social and financial ties. The impression that this is amorphous comes from that set of affiliations," Kennelly said.

“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” UK Foreign Secretary James Cleverly said.