US, UK authorities sanction Russian cyber criminals belonging to Trickbot group

US, UK authorities sanction Russian cyber criminals belonging to Trickbot group

Seven Russian cyber criminals were sanctioned by the U.K. and U.S. authorities in the first wave of new coordinated action against international cyber crime. These hackers are part of the Russia-based cybercrime Trickbot group, and have been associated with the development or deployment of a range of ransomware strains, which have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.

“Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of: Trickbot, Anchor, BazarLoader, BazarBackdoor as well as the ransomware strains Conti and Diavol,” the U.K. government said on Thursday. “They are also involved in the deployment of Ryuk ransomware.”

“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” said James Cleverly, foreign secretary of the U.K. “These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.”

Russia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners, the U.S. Department of the Treasury said in a Thursday statement. “These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.,” it added.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) said last August in a joint advisory that the top malware strains of 2021 are Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader. Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBotfor at least five years. In contrast, it added that they have used Qakbot and Ursniffor for more than a decade.

Trickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan. Dyre was an online banking trojan operated by individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014. Dyre and Trickbot were developed and operated by a group of cybercriminals to steal financial data. 

“The Trickbot trojan viruses infected millions of victim computers worldwide, including those of U.S. businesses, and individual victims. It has since evolved into a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the U.S. statement said. 

During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the U.S. In one of these attacks, the Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.

Current members of the Trickbot group are associated with Russian Intelligence Services, according to the U.S. statement. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the U.S. government and U.S. companies.”

The U.K. government said that ransomware criminals specifically target the systems of organizations they judge will pay them the most money and time their attacks to cause maximum damage, including targeting hospitals in the middle of the pandemic. “Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of: Trickbot, Anchor, BazarLoader, BazarBackdoor as well as the ransomware strains Conti and Diavol. They are also involved in the deployment of Ryuk ransomware,” it added.

“The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for extricating at least an estimated £27 million,” the government disclosed. “There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million. Conti was behind attacks that targeted hospitals, schools, businesses and local authorities, including the Scottish Environment Protection Agency.  The group behind Conti extorted $180 million in ransomware in 2021 alone, according to research from Chainalysis,” it added.

The U.K. government further added that Conti was one of the first cyber crime groups to back Russia’s war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion. “Although the ransomware group responsible for Conti disbanded in May 2022, reporting suggests members of the group continue to be involved in some of the most notorious new ransomware strains that dominate and threaten UK security.”

Data released by blockchain data platform Chainalysis showed that strains related to Trickbot have extorted at least US$724 million worth of cryptocurrency in their lifetimes. This makes Trickbot the second highest earning cybercrime group, following the North Korean-linked Lazarus group.

“Because ransomware payments are demanded in cryptocurrency – usually Bitcoin – it may at first seem like cryptocurrency enables this extortion. But crypto is instrumental in fighting it,” Chainalysis wrote in a Thursday blog post. “The blockchain allows us to link ransomware actors together, including developers like Trickbot, affiliates like those who work for Conti, and other enablers. Cryptocurrency blockchains are transparent, and with the right tools, law enforcement agencies can follow the money on the blockchain to better understand and disrupt an organization’s operations and supply chain.”

Last month, Europol supported the German, Dutch, and U.S. authorities in disrupting and taking down the infrastructure used by Hive ransomware affiliates, involving law enforcement authorities from a total of 13 countries. The agency supported the shutting down of servers and provided decryption tools to victims. Law enforcement teams were able to identify the decryption keys and shared them with many of the victims, helping them regain access to their data without paying ransomware to the cybercriminals.

The U.S. Department of Justice announced its ‘months-long disruption’ campaign against the Hive ransomware group that has targeted more than 1,500 victims across over 80 countries around the world. The hackers have since 2021 targeted hospitals, school districts, financial firms, and critical infrastructure, and received over US$100 million in ransom payments.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related