For many years in Russia Ransomware gangs launched devastating attacks on businesses, hospitals and public sector entities, extorting hundreds of millions of dollars from victims and causing untold destruction. And they did it with impunity, but nothing more. Today, as part of the fight against ransomware gangs, the UK and US governments have exposed some of the criminals behind the attacks.
In a rare move, officials sanctioned seven alleged members of notorious ransomware gangs and made them public. real names, dates of birth, email addresses and photos. All seven named cybercriminals are reported to belong to the Conti and Trickbot ransomware groups, which are related and often referred to as the Wizard Spider. Moreover, the UK and US are now openly pointing out links between Conti and Trickbot and Russian intelligence agencies.
“By imposing sanctions on these cybercriminals, we are sending them and others involved in ransomware a clear signal that they will be held accountable,” British Foreign Secretary James Cleverley said Thursday. “These cynical cyberattacks are causing real damage to people’s lives and livelihoods.”
Seven gang members named by the two governments: Vitaly Kovalev, Maxim Mikhailov, Valentin Karyagin, Mikhail Iskritsky, Dmitry Pleshevsky, Ivan Vakhromeev, and Valery Sedletsky. The members all have online aliases such as Baguette and Tropa, which they used to communicate with each other without using their real identities.
On Thursday, the UK’s National Cybersecurity Center (NCSC) said it was “highly likely” that members of the Conti group had ties to “Russian intelligence services” and that those agencies “probably” directed some of the gang’s activities. The NCSC is part of the British intelligence agency GCHQ and this is the first time the UK has sanctioned ransomware criminals.
Similarly, the US Treasury has concluded that members of the Trickbot Group are “linked to Russian intelligence agencies.” It added that the group’s actions in 2020 were in line with Russia’s international interests and “targeting previously carried out by Russian special services.”
According to the US Department of the Treasury, these participants were involved in malware and ransomware development, money laundering, fraud, injecting malicious code into websites to steal login details, and management roles. As part of the sanctions, the UK froze assets belonging to ransomware attackers and imposed a travel ban on them. The US District Court for the District of New Jersey also unsealed an indictment charging Vitaly Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud against US financial institutions in 2009 and 2010.
Governments have struggled to deal with the growing threat of ransomware, in large part due to the fact that many criminal gangs operate in Russia. The Kremlin has given safe haven to these attackers as long as they don’t attack Russian companies. Last year, after a series of particularly aggressive and devastating attacks on targets in the US and UK, Russian law enforcement agencies detained over a dozen alleged members of the infamous REvil ransomware gang. But Russia continues to be the source of many cybercrime activities, including ransomware attacks.