U.S. and British authorities on Thursday announced sanctions against seven men for their involvement in ransomware attacks on hospitals and other targets, the latest measure targeting such gangs after officials began moving as aggressively against financially motivated attacks on critical infrastructure as they have against other threats to national security.
The U.S. Treasury Department identified the men as members of a Russia-based gang known as Trickbot, named for the software the group developed to take control of computers and which was first used to capture banking passwords.
The group specialized in hitting U.S. hospitals during the summer 2020 peak of the covid pandemic, drawing retaliation that fall from U.S. Cyber Command and Microsoft. But the group was able to recover and diversify, using other tools for their attacks.
Under the sanctions imposed Thursday, no American or U.K. resident can do business with the men, including sending them ransom, without prior approval from the government.
There was no mention of any arrests, and the sanctions will not do much by themselves to seriously reduce the scourge of ransomware, though some criminals might move away from the group. The seven men do not operate the version of Trickbot prevalent in recent attacks, researchers say. And because the sanctions are imposed only on individuals, not the group, it is likely to be difficult to determine if any one of them would receive a cut of a ransom.
Still, the actions taken Thursday were another sign that international cooperation against ransomware criminals is growing. It was the first time the United Kingdom had imposed sanctions on ransomware suspects, and came only two weeks after German authorities played a role in penetrating and shutting down another ransomware group, known as Hive, that also had targeted schools and hospitals.
British Foreign Secretary James Cleverly said that the sanctions were the beginning of deeper coordination with the Americans.
“These cynical cyberattacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organized crime — whatever its form and wherever it originates,” Cleverly said.
Ransomware has long been an international law enforcement issue, with many of the gangs that initiate an attack based in Eastern Europe or Russia. The U.S. said Thursday that some members of the Trickbot group “are associated with Russian intelligence services,” though it did not say that any of the seven were. It added that “the Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian intelligence services.”
Chats leaked last year from another Russian gang, known as Conti, showed deep ties between Conti and Trickbot, and included Conti members considering opening an office dedicated to work on behalf of the Russian government, according to Kimberly Goody, head of cybercrime analysis at Google’s Mandiant Intelligence unit, who has tracked the groups for years.
One of the sanctioned men, Vitaly Kovalev, was the subject of an 11-year-old indictment unsealed Thursday that accused him of running a network of money mules — people whose job it was to collect money from crimes in the United States to send to criminals elsewhere. The Treasury Department described him as a senior figure in Trickbot, and Goody said some evidence links one of Kovalev’s aliases, “Bentley,” to another group that developed GameOver Zeus, a program that infected hundreds of thousands of machines through 2014 and in some cases focused on espionage targets for Russian intelligence.
The other men sanctioned Thursday were Maksim Mikhailov, known online as “Baget”; Valentin Karyagin, whose online moniker is “Globus”; Mikhail Iskritskiy, known online as “Tropa”; Dmitry Pleshevskiy, known as “Iseldor”; Ivan Vakhromeyev, also known as “Mushroom,” and Valery Sedletski, known as “Strix.”
Each played a different role in Trickbot’s organization, from writing code to overseeing the organization, the Treasury Department said. All are believed to be in Russia, except for Mikhailov, who the Treasury Department said is a resident of Sevastopol in Russian-occupied Crimea.
“International cooperation is key to addressing Russian cybercrime,” the Treasury Department said in announcing the sanctions. “The United States and the United Kingdom are leaders in the global fight against cybercrime and are committed to using all available authorities and tools to defend against cyberthreats.”