Nearly a dozen key members of the Russian-based cybercriminal gang Trickbot have been singled out by the US Treasury and Department of State (DoJ), with support from the UK. However, experts are giving mixed reviews as to whether the well-intended sanctions will be impactful enough to make a proper dent in the ransomware landscape. Cybernews has the story.
“Today’s targets include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services and has targeted the US government and US companies, including hospitals,” the US Treasury Department’s Office of Foreign Assets Control (OFAC) said on Thursday.
OFAC took action against seven individuals, while the DoJ simultaneously unsealed indictments against nine individuals connected to Trickbot malware and Conti ransomware schemes, with the overlap bringing the total to eleven.
The second wave of sanctions
It’s the second wave of sanctions against members responsible for the daily material operations of the nefarious group, including administrators, managers, developers, and coders.
OFAC, which accuses the Kremlin of having long provided “a safe haven” for various cybercriminal factions, designated its first batch of seven Russian nationals back in February – also in collaboration with the Brits.
OFAC’s Specially Designated Nationals and Blocked Persons list, also known as the "SDN List," prevents an individual from traveling to and from the US and UK, as well as any allied nation.
The designated individual will also be subjected to having all their property seized, assets frozen, and prohibited from dealing with US citizens or within the US.
"The cybercriminals designated today played various roles in supporting ransomware attacks, including management, server administration, and software development within the Trickbot and Conti ecosystems,” said Kimberly Goody, Mandiant's head of cybercrime analysis.
“Among many other attacks, this group supported a disruptive ransomware campaign against the US healthcare system during the height of the COVID pandemic that their associates privately remarked would spur a ‘panic,’” Goody said.
In one such pandemic timed attack, the Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances.
According to US officials, Trickbot members “publicly gloated over the ease of targeting the medical facilities and the speed with which ransoms had been paid to the group.”
Goody called Trickbot’s Covid campaign one of the “most dangerous and deplorable cyberattacks” her team had ever witnessed.
Who is Trickbot?
Security researchers first identified Trickbot in 2016.
At the time, the Trickbot virus was recognized as an evolved iteration of Dyre, a known Moscow-based online banking trojan used to steal financial data.
The trojan was deployed, infecting millions of computers in the US and worldwide, but always outside of Russia.
In its current iteration, Trickbot is now “a highly modular malware suite” providing the Trickbot gang with the "ability to carry out a variety of malicious cyber activities, including ransomware,” according to US officials.
Trickbot has no problem sharing its malicious software with other criminal groups and national governments that pay for access, researchers have said.
Members of the Trickbot group are also known to be associated with Russian intelligence services.
Are sanctions really enough?
While the sanctions and indictments are a positive step forward in the containment of ransomware threats, many security insiders are questioning whether it’s enough.
“The Conti cybercrime gang caused havoc to organizations until it was disrupted by law enforcement earlier this year,” said Mike Newman, CEO of My1Login.
The gang operated a ransomware-as-a-service model where criminals could rent their infrastructure to carry out devastating attacks on businesses, often using spear-phishing or stolen credentials to gain an initial foothold, Newman said.
Newman said “with Conti being closely affiliated with the Russian government, it's highly unlikely they will be forced out of the country to be tried in court in the US or UK.”
In fact, Newman believes that the attackers will likely be able to continue with their lives as normal in Russia.
But it's not all bad news. Newman also says the public naming of the members demonstrates that the UK and US governments got deep enough into Trickbot’s infrastructure to work out their identities.
“This next move will make it harder for the attackers to stay under the shadows. However, the one question everyone will be asking now is whether the sanctions will make any real difference,” Newman said.
Jon Miller, CEO and co-founder of the anti-ransomware platform Halcyon, agrees that the sanctions are welcome news, but that more needs to be done to stem the ransomware epidemic.
“While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall law enforcement has had very little impact in regard to disrupting ransomware operations,” Miller said.
Spotlighting the close relations between groups like Conti, the Putin regime, and its intelligence, Miller points out the “weird overlap of cybercriminal activity with nation-state-supported operations, and with the Russian ransomware model.
Miller said the overlap not only “conveniently allows for plausible deniability for Russia” but also puts the US and allied governments in tough positions, both in determining the attribution for the attacks and what actions to take.
"The Russians need to be very cautious about how they conduct such attacks, so they don't trigger an international incident that would elicit a direct response from the US or their allies," Miller said.
Miller believes until the US government directly sanctions the Putin regime for its direct or tacit support, the spate of ransomware attacks will not abate any time soon.
Though these actions against the Conti-Trickbot members are necessary, Miller said, "even if they are arrested, there will quickly be someone to take their place,”
The Russian eleven
The gang of eleven singled out today by OFAC and the DoJ are said to have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support” of Trickbot operations.
Managerial leaders of the cybercriminal group include Andrey Zhuykov (aka Dif and Defender), a central actor and senior administrator; and Mikhail Tsarev (aka Mango, Alexander Grachev, Super Misha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev), in charge of human resources and finance.
Additionally; Maksim Khaliullin (aka Kagas), for HR management and infrastructure procurement; and Dmitry Putilin (aka Grad and Staff), for purchasing and infrastructure setup.
Mid-level operators include Maksim Galochkin (aka Bentley, Crypt, and Volhvb), with development and implementation of tests, plus supervision of testers; Maksim Rudenskiy, team lead for coders; and Sergey Loguntsov, a developer.
Other designated Trickbot members are coders Vadym Valiakhmetov (aka Weldon, Mentos, and Vasm) and Artem Kurov (aka Naned), as well as Mikhail Chernov (aka Bullet), internal utilities, and Alexander Mozhaev (aka Green and Rocco), in general administrative duties.
“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian Nelson.
“In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities,” Nelson said.
This latest move also marks the first such designation under the UK’s recently tabled national cyber strategy.
More from Cybernews:
Subscribe to our newsletter