US and UK law enforcements imposed sanctions against 7 members of a cybercrime gang that stands after TrickBot malware, including top management. Cooperation between the U.S. The Department of Treasury and U.K Foreign, Commonwealth and Development office ended up identifying the personality of key actors of this malware gang. Sanctions brought serious restrictions upon financial operations for all persons involved.
TrickBot Members Sanctioned
On February 9, 2023, the US Department of the Treasury reported about sanctions laid upon 7 Russian citizens, allegedly related to the activity TrickBot malware. This advanced trojan consistently targeted numerous companies and government organisations around the world, leading to disruptions and money losses. This honourless gang is known for attacking hospitals and healthcare centres during the first COVID-19 outbreaks back in 2020. Despite Russia utterly ignoring internationally-wanted cybercriminals under her jurisdiction, it is still feasible to strike back.
Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime. — Under Secretary Brian E. Nelson.
List of sanctioned persons:
Vitaly Kovalev | Key person of the TrickBot group, a.k.a. “Bentley” or “Ben” on different online forums. Managed attacks upon US financial institutions back in 2009, thus is accused of bank fraud and a series of breaks into bank accounts of malware victims. |
Valery Sedletski | Gang administrator, in charge of server management. Uses the nickname “Strix”. |
Ivan Vakhromeyev | Team manager in TrickBot. Uses the nickname “Mushroom”. |
Valentin Karyagin | Developer of the ransomware payload carried by TrickBot. Uses “Globus” nickname. |
Mikhail Iskritsky | Key person in money laundering schemes used by the gang. Known online as “Tropa”. |
Maksim Mikhailov | Main payload developer. Active online under the nickname of “Baget” |
Dmitry Pleshevskiy | Is in charge of malware injection to the websites that precede money stealing. Uses the nickname “Iseldor” to communicate online. |
U.S. law enforcements claimed the confiscation of any property that belongs to the designated individuals and is located under US control. Additionally, these sanctions suppose secondary sanctions to any financial organisation that will knowingly provide services to mentioned persons. Paying money to these threat actors is considered sponsoring the crime, and thus is outlaw. It is both about bank and cryptocurrency transfers, willingly or after the ransomware attack.1
What is TrickBot malware?
TrickBot is a banking trojan, that carries capabilities of injecting other malware into the system, i.e. acting as a malware dropper. Appearing back in 2016, it started as a banking stealer – a malware type that aims precisely at banking credentials. With time, it evolved into a modular malware that acts mostly as a delivery infrastructure for other malware, particularly Conti and Ryuk ransomware. Nonetheless, it did not lose its original functionality, thus being able to both wreak havoc with ransomware and pickpocket in its own, stealer’s fashion.
Massive attacks scale, together with targeting critical infrastructure and government organisations, expectedly brought an ill-fame halo around this gang. They became wanted by law enforcements in numerous countries around the world, but as we mentioned above, Russia never hastened with giving up their hackers, excepting rare cases. Meanwhile, feeling their impunity, the TrickBot group together with their “partners” turned even more aggressive. Obviously, sanctions will not stop these crooks from doing dirty deeds but will create a lot of problems with money laundering and overall transactions with the dirty money they have.
- UK govt’s notice upon the sanctions against Russian hackers.