US, UK slap sanctions on Russians linked to Conti, Ryuk, Trickbot malware
Any act that sends so much as a ruble to seven named netizens now forbidden
The US and UK have sanctioned seven Russians for their alleged roles in disseminating Conti and Ryuk ransomware and the Trickbot banking trojan.
The move marks Great Britain's first-ever cyber crime sanctions. It also represents an ongoing effort between the two Western nations to take down Russian ransomware gangs and the larger cyber crime ecosystem that operates with impunity – and perhaps' Moscow's explicit support – from within Russia.
"We will continue to work with the United Kingdom and with other international partners to expose and disrupt cyber crime emanating from Russia," US secretary of state Anthony Blinken declared in a statement, adding that the seven individuals had been involved in "assaults against our critical infrastructure."
The seven men added to the sanctions list are:
- Vitaliy Kovalev;
- Valery Sedletski;
- Valentin Karyagin;
- Maksim Mikhailov;
- Dmitry Pleshevskiy;
- Mikhail Iskritskiy;
- Ivan Vakhromeyev.
In addition to imposing travel bans on the seven and freezing their assets, the sanctions prohibit American and British companies and individuals from conducting any business transactions with the named Russians.
That includes paying ransoms to decrypt data after ransomware attacks.
Also, the US Treasury Department warned any foreign financial institution that "knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to US correspondent or payable-through account sanctions."
In other words: foreign banks that facilitate ransomware payments aren't getting off the hook.
Conti and Ryuk ransomware extorted at least £27 million ($32.7 million) from 149 UK individuals and businesses, according to the government's estimate. This includes 104 Conti victims who paid about £10 million ($12.1 million), and 45 Ryuk victims who paid approximately £17 million ($20.6 million).
"The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies," UK National Crime Agency director-general Graeme Biggar revealed in a statement.
"They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public," Biggar continued.
- Uncle Sam slaps $10m bounty on Hive while Russia ban-hammers FBI, CIA
- US reveals 'Target' pic of Conti man with $10m reward offer
- Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
- UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish
The Russia-linked group behind Conti and Ryuk (which rebranded as Conti in 2020) – as well as Trickbot – is called Wizard Spider. The US government has been putting multi-million-dollar bounties on the criminals behind it.
Last spring, the State Department announced a reward of up to $15 million for information about the top leaders behind Conti and individuals that had participated in attacks using a variant of its malware.
At the time, the agency said Conti was the costliest strain of ransomware on record, and payouts from its more than 1,000 victims surpassed $150 million.
In early summer 2022, the group shut down its internal infrastructure – but its members have since been linked to other ransomware gangs, including Karakurt.
"While Wizard Spider's operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary's operations while they look for ways to circumvent the sanctions," CrowdStrike's head of intelligence Adam Meyers told The Register.
"Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name." ®