Trickbot: US and UK announces sanctions against 7 Russian cyberciminals

Seven individuals were ID’ed by the United States and the United Kingdom as part of the Russia-based cybercrime gang Trickbot, in an attempt to disrupt Russian cybercrime and ransomware.

In Russia, cybercriminals like Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K., and allies and partners, targeting critical infrastructure, including hospitals and medical facilities during a global pandemic, according to the announcement.

Last month, Treasury’s Financial Crimes Enforcement Network (FinCEN) identified a Russia-based virtual currency exchange, Bitzlato Limited, as a “primary money laundering concern” in connection with Russian illicit finance. For more on this, click here.

In early February, ION Cleared Derivatives was victim of Russia-based ransomware gang LockBit. The hack forced several European and U.S. banks to revert to manual processes. The firm had until 6 February to pay the ransom, which was allegedly paid, according to the gang, who said it provided a decryption key to ION.

The 2021 Sanctions Review found that sanctions are most effective when coordinated with international partners and highlights the deepened partnership between OFAC and the UK’s Office of Financial Sanctions Implementation.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime”, said Under Secretary Brian E. Nelson.

Who is Trickbot?

Trickbot, first identified in 2016 by security researchers, was a trojan virus that evolved from the Dyre trojan. Dyre was an online banking trojan operated by individuals based in Moscow, Russia, that began targeting non-Russian businesses and entities in mid-2014.

Dyre and Trickbot were developed and operated by a group of cybercriminals to steal financial data. The Trickbot trojan viruses infected millions of victim computers worldwide, including those of U.S. businesses, and individual victims.

It has since evolved into a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks.

During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States.

In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.

Whoever engages with them could also be sanctioned

Current members of the Trickbot Group are associated with Russian Intelligence Services, said the official announcement, adding they are aligned with Russian state objectives.

The US and UK authorities point to Vitaly Kovalev as a senior figure within the Trickbot Group and charging him with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various U.S.-based financial institutions that occurred in 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.

Other individuals related to the Trickbot Group include Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski.

As a result of today’s action, all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.

OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons.

In addition, persons that engage in certain transactions with the individuals designated today may themselves be exposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.