For the second time this year, regulatory agencies in the United States and United Kingdom have sanctioned several alleged members of the notorious Trickbot group, a cybercrime gang with strong connections to Russian intelligence organizations that has been engaged in intrusions and ransomware operations for many years.
The 11 Russian nationals sanctioned Thursday by the Department of the Treasury’s Office of Foreign Asset Control include alleged administrators, developers, testers, and coders who officials say were instrumental in the development and operation of the Trickbot infrastructure. The Department of Justice also unsealed indictments against seven of the newly designated people, along with two other Russian nationals.
“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian E. Nelson. “In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”
The actions by OFAC essentially prohibit any U.S. citizen or entity from doing business with any of the sanctioned people. The sanctioned individuals include Andrey Zhuykov, Maksim Galochkin, Maksim Rudenskiy, Mikhail Tsarev, Dmitry Putilin, Maksim Khaliullin, Sergey Loguntsov, Artem Kurov, Mikhail Chernov, and Alexander Mozhaev.
In February, the U.S. and U.K. authorities sanctioned seven other people allegedly associated with the Trickbot group, which has been active since at least 2016, The group, also known as Wizard Spider, grew out of the older Dyre malware group, which was a highly prolific banking trojan operation. In the years since, Trickbot has become a modular and highly versatile piece of malware that is often seen in ransomware infections and has been associated with the Conti ransomware group as well as the BazarLoader and Ryuk ransomware.
“By exposing their identities, we are disrupting their business models and making it harder for them to target our people, our businesses and our institutions.”
In the past, U.S. law enforcement officials have alluded to the connection between the Trickbot gang and the Russian government, but in today’s announcements, they pulled no punches.
“Today’s targets include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals,” the Treasury press release says.
“Members of the Trickbot group are associated with Russian intelligence services. The Trickbot group’s preparations in 2020 aligned them to Russian state objectives and actions taken by the Russian intelligence services. This included targeting the U.S. Government and U.S. companies.”
The indictments of the alleged Trickbot group members were in California, Ohio, and Tennessee, and charge the defendamts with using Trickbot to steal sensitive information.
“The defendants charged in these three indictments across three different jurisdictions allegedly used their cyber knowledge and capabilities to victimize people and businesses around the world without regard for the damage they caused,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division.
“These indictments should serve as a reminder that no matter a cybercriminal’s location, we will identify and pursue them by doing everything in our power to ensure they face the consequences of their actions.”
The sanctions from OFAC also have the effect of preventing U.S. people or organizations from paying ransoms to any of the designated individuals. The U.K.”s Commonwealth and Development Office also sanctioned the same individuals.
“These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims. Our sanctions show they cannot act with impunity. We know who they are and what they are doing,” said U.K. Foreign Secretry James Cleverly.
“By exposing their identities, we are disrupting their business models and making it harder for them to target our people, our businesses and our institutions.”