US and UK sanction members of Russia-based Trickbot cybercrime gang

The United States and United Kingdom join forces to impose historic cyber sanction.

Seven individuals from the the Russia-based cybercrime gang Trickbot have been sanctioned in a joint action by agencies from the US and the UK. The cyber criminals were associated with a range of ransomware strains that have targeted both the UK and US.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses, and exploit the international financial system,” said US Treasury Under Secretary Brian E Nelson. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

This is the first sanction of this kind imposed by the UK, and is a result of collaboration between the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury to disrupt Russian cybercrime and ransomware. The seven individuals have had assets frozen, been banned from travelling, and been severely restricted in their use of the global financial system.

“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account”, said UK Foreign Secretary James Cleverly.

“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates”, he added.

Trickbot Group

In this action, sanctions were filed against:

  • Vitaly Kovalev – who was a senior figure within the Trickbot Group, and is also known online as “Bentley” and “Ben”. The US District Court for the District of New Jersey is also charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim’s bank accounts. These frauds occurred in 2009 and 2010, before his involvement in the Trickbot Group.
  • Maksim Mikhailov – who has been involved in development activity for the Trickbot Group (“Baget”).
  • Valentin Karyagin – who has been involved in the development of ransomware and other malware projects (“Globus”).
  • Mikhail Iskritskiy – who has worked on money-laundering and fraud projects for the Trickbot Group (“Tropa”).
  • Dmitry Pleshevskiy – who has worked on injecting malicious code into websites to steal victims’ credentials (“Iseldor”).
  • Ivan Vakhromeyev – who has worked for the Trickbot Group as a manager (“Mushroom”).
  • Valery Sedletski – who has worked as an administrator for the Trickbot Group, including managing servers (“Strix”).

OFAC is designating each of these seven pursuant to “Executive Order (E.O.) 13694, as amended by E.O. 13757, for having materially assisted, sponsored, or provided material, or technological support for, or goods or services to or in support of, an activity described in subsection (a)(ii) of section 1 of E.O. 13694, as amended”.

“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public”, said UK National Crime Agency Director-General Graeme Biggar. 

Ransom guidance

In the wake of the sanctions, the OFSI has also updated its public guidance on how to respond to ransomware attacks. The clear message is not to pay out ransom demands.

“Ransomware payments to criminal actors perpetuate the threat and sustain the criminal marketplace. Payment of a ransom further encourages the targeting of UK business and does not remove criminal actors’ access to networks, leaving them open to future attacks”, the guidance says.

“The payment of a ransom does not guarantee a victim will regain access to their data or computer and increases the likelihood they will be targeted in the future.”

“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.”

James Cleverly, UK Foreign Secretary

Trojan virus

As we reported earlier, Russia remains a haven for cybercriminals and hackers, and almost 75% of all attacks are linked to the country.

Trickbot was first identified in 2016, and was a trojan virus that had evolved from the Dyre trojan – an online banking trojan that began operating in mid-2014 in Moscow, Russia. Both were developed to steal financial data.

The first Trickbot trojan viruses infected millions of computers worldwide, and have since evolved into a highly modular malware suite that can conduct a variety of illegal cyber activities, such as ransomware attacks.

In 2020, the group also started to target hospitals and healthcare centers in the US during the Covid-19 pandemic.