On Thursday, the UK and US governments imposed sanctions on seven Russian citizens for their involvement in the TrickBot, Ryuk and Conti cybercriminal operations.
The individuals named under the sanctions are Vitaly Kovalev (aka Alex Connor, Bentley or Bergen), Maxim Mikhailov (aka Baguette), Valentin Kalyagin (aka Grobus), Mikhail Iskritsky (aka Tropa), Dmitry • Preshevsky (aka Iseldor), Ivan Vakromeyev (aka Mushroom), and Valery Sedletsky (aka Strix).
“Current members of the TrickBot group have ties to Russian intelligence,” said the U.S. Treasury Department. “The TrickBot group’s preparations for 2020 were aligned with the goals of the Russian state and the targeting previously carried out by Russian intelligence services.”
TrickBot, by threat actors named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking Trojan, a highly modular malware frame capable of distributing additional payloads. evolved into work. The group has recently shifted its focus to attacking Ukraine.
The infamous Malware-as-a-Service (MaaS) platform served as a prominent vehicle for countless Ryuk and Conti ransomware attacks until it was officially shut down early last year, the latter eventually becoming the culprit of the TrickBot criminal enterprise. hijacking control before shutting down on its own in mid-2022.
Over the years, Wizard Spider has expanded its custom tools with an array of advanced malware such as Diavol, BazarBackdoor, Anchor, and BumbleBee, while simultaneously targeting multiple countries and industries, including academia, energy, financial services, and government. I’m here.
“While Wizard Spider operations have been significantly curtailed following Conti’s death in June 2022, these sanctions could disrupt operations for adversaries seeking ways to circumvent them.” said Adam Meyers, head of intelligence at CrowdStrike. statement.
“Often, when cybercriminal groups get confused, they go out of business temporarily just to rebrand with a new name.”
Sanctioned individuals are involved in developing ransomware and other malware projects, as well as laundering money and injecting malicious code into websites to steal victims’ credentials, according to the Treasury Department. said to be involved.
Kovalev was also involved in a series of breaches into victims’ bank accounts held at U.S.-based financial institutions, with the aim of transferring those funds to other accounts under their control. was charged with conspiracy to commit bank fraud.
The attacks, which took place in 2009 and 2010 and preceded Kovalev’s attempts with Dyre and TrickBot, are said to have led to nearly $1 million in unauthorized transfers, at least $720,000 of which was sent abroad. it was done.
Additionally, Kovalev is said to have worked closely with Gameover ZeuS, a peer-to-peer botnet that was temporarily dismantled in 2014. One of the Zeus malware operators, his Vyacheslav Igorevich Penchukov, was arrested by Swiss authorities in November 2022. .
British intelligence officials further assessed that the organized crime group had “extensive ties” with another Russia-based group known as Evil Corp, which was sanctioned by the United States in December 2019. bottom.
The announcement is the latest salvo in an ongoing battle to disrupt ransomware gangs and the broader crimeware ecosystem, following last month’s removal of Hive infrastructure.
Russia has long provided a safe haven for criminal groups, allowing them to carry out attacks with impunity unless they identify domestic targets or their allies.
Sanctions “provide law enforcement and financial institutions with the necessary powers and mechanisms to seize assets and cause economic disruption to designated individuals, while also deeming victims as criminals and criminalizing victims.” It avoids making you a repeat victim by putting you in an impossible position to choose whether to pay the ransom, violating business or sanctions,” said Don Smith, vice president of threat research at Secureworks. said.
Data from NCC Group shows that ransomware attacks are down 5% in 2022, down from 2,667 the year before to 2,531, but illicit income is down as victims are more likely to refuse payments. increase.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said: , Said.
Despite the slump, ransomware actors have proven to be “effective innovators,” adding that they “add data exfiltration and DDoS to their arsenal to mask more sophisticated attacks, allowing victims to We are trying to find every opportunity and method to extort money from.” Company added.
