US and UK Impose Sanctions on 11 Russians Linked to Trickbot

By Riley ThompsonTechnology News

US and UK Impose Sanctions on 11 Russians Allegedly Connected to Trickbot

The United States and the United Kingdom have imposed sanctions on 11 Russian citizens believed to be involved in the ransomware operations of TrickBot and Conti. TrickBot (also known as ITG23, Gold Blackburn, and Wizard Spider) is considered a financially motivated hacking group, best known for developing the TrickBot banking trojan.

Over the years, TrickBot evolved from a classic banking trojan designed to steal funds from bank accounts into a multifunctional dropper that spreads other threats, including miners, ransomware, and infostealers. Last year, TrickBot came under the control of the Conti malware operators, who used the group’s malware to support their own attacks and strengthen threats like BazarBackdoor and Anchor.

After February 2022, a researcher leaked the internal communications of the Conti group. Soon after, another individual under the alias TrickLeaks began leaking information about TrickBot’s operations, confirming the connection between the two groups. Ultimately, these leaks led to Conti ceasing operations and splitting into several other groups, including Royal, Black Basta, and ZEON.

According to the US and UK governments, 11 members of TrickBot and Conti have now been sanctioned for their cybercriminal activities, which resulted in the theft of $180 million from companies and organizations worldwide.

“According to the NCA, this group was responsible for extorting at least $180 million from victims worldwide, as well as at least £27 million from 149 victims in the UK. Their targets included British hospitals, schools, local authorities, and businesses,” stated the UK’s National Crime Agency.

The US Department of the Treasury also announced the sanctions:

“Today’s targets include key individuals involved in the management and supply of the Trickbot group, which attacked the US government and American companies, including hospitals,” the Treasury’s statement reads. “During the COVID-19 pandemic, the Trickbot group attacked many critical infrastructure facilities and healthcare institutions in the US.”

The sanctions will result in the freezing of all property and assets belonging to the hackers in the US and UK. Individuals and companies are now prohibited from conducting transactions with these persons, including making ransom payments.

List of Sanctioned Individuals

The following 11 individuals, all Russian citizens according to authorities, are subject to the new sanctions:

  • Andrey Zhuykov: Considered one of the group’s leaders and served as a senior administrator. Known online as Dif and Defender.
  • Maksim Galochkin: Led the testing team, responsible for development, oversight, and testing. Known online as Bentley, Crypt, Volhvb.
  • Maksim Rudensky: Also considered a key member of TrickBot and head of the coders.
  • Mikhail Tsarev: Allegedly served as a manager, overseeing personnel and finances, as well as accounting. Known online as Mango, Super Misha, “Alexander Grachev,” Ivanov Mixail, “Misha Krutysha,” “Nikita Andreevich Tsarev.”
  • Dmitry Putilin: Allegedly involved in procurement for TrickBot’s infrastructure. Known online as Grad and Staff.
  • Maksim Khaliullin: Believed to be the group’s HR manager and also involved in infrastructure procurement, including virtual private servers (VPS). Known online as Kagas.
  • Sergey Loguntsov: Considered one of TrickBot’s developers.
  • Vadim Valiahmetov: Allegedly a TrickBot coder, known online as Weldon, Mentos, Vasm.
  • Artem Kurov: Also considered a coder and developer for TrickBot. Known online as Naned.
  • Mikhail Chernov: Allegedly part of TrickBot’s utilities group, known as Bullet.
  • Alexander Mozhaev: Considered one of the administrators responsible for general administrative functions, known online as Green and Rocco.

These sanctions add to those already imposed on seven TrickBot members in February 2023.

Impact on Ransomware Groups

As noted above, after Conti’s shutdown, many group members joined other hacking groups, meaning the new sanctions could significantly hinder ransom payments to other extortionists. Groups believed to be affected include BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom, and DagonLocker.

In the past, similar sanctions have led to the closure and “rebranding” of ransomware groups, as negotiation firms refused to make payments to sanctioned individuals.

Leave a Reply