US, UK sanction more Russians linked to Trickbot

The US and UK governments named and sanctioned 11 Russians said to be connected to the notorious Trickbot cybercrime crew this week.

The Feds have linked Trickbot's operators to Russian intelligence, and according to the US Treasury Department, all 11 men who have been added to the sanctions list are involved in management and procurement for the group. These sanctions follow a similar joint US-UK move in February against alleged Trickbot, Conti, and Ryuk criminals, and which marked the UK's first-ever cyber-related sanctions with America.

Being added to the sanctions list imposes travel bans and freezes these individuals' assets in either country. It also prohibits American and British individuals and organizations from doing business with those sanctioned. 

These orgs includes banks, and the US Treasury warns that any foreign financial institutions that knowingly facilitate "significant transactions" or provide "significant financial services" to any of the 11 Russians could also be subject to sanctions.

According to the UK National Crime Agency, the gang has extorted at least $180 million (£145 million) from people and orgs globally, and at least £27 million ($34 million) from 149 British victims, including hospitals, schools, businesses, and local governments. 

The 11 Russians are:

1. Andrey Zhuykov, a senior administrator for the gang, who also goes by Dif and Defender.
2. Maksim Galochkin, who led a group of testers with responsibilities for development, supervision, and implementation of tests. His online monikers include Bentley, Crypt, and Volhvb.
3. Maksim Rudenskiy, the team lead for coders.
4. Mikhail Tsarev, a manager who oversees human resources and finance. He is also known as Mango, Alexander Grachev, Super Misha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev.
5. Dmitry Putilin, who is associated with the purchase of Trickbot infrastructure, and also goes by Grad and Staff.
6. Maksim Khaliullin, a HR manager responsible for producing virtual private servers and other infrastructure. His online moniker is Kagas.
7. Sergey Loguntsov, a developer for the Trickbot group.
8. Vadym Valiakhmetov worked as a coder and is also known as Weldon, Mentos, and Vasm.
9. Artem Kurov, another coder who goes by Naned.
10. Mikhail Chernov was part of the internal utilities group and is known as Bullet.
11. Alexander Mozhaev, a member of the administrative team, who is also known by the online monikers Green and Rocco.

Also on Thursday, the US Justice Department unsealed three indictments against nine individuals allegedly involved in Trickbot and Conti ransomware infections, including seven of the newly sanctioned individuals.

Federal grand juries in northern Ohio, Tennessee, and southern California approved charges against the suspects including computer hacking, money laundering, and wire fraud.

"The Justice Department has taken action against individuals we allege developed and deployed a dangerous malware scheme used in cyberattacks on American school districts, local governments, and financial institutions," said US Attorney General Merrick Garland.

"Separately, we have also taken action against individuals we allege are behind one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services. These actions should serve as a warning to cybercriminals who target America's critical infrastructure that they cannot hide from the United States Department of Justice."

The Ohio federal indictment [PDF] charges nine people for their alleged roles in developing, deploying, managing, and profiting from Trickbot. If convicted, each defendant faces a maximum of 62 years in prison.

Meanwhile, the Tennessee rap sheet [PDF] charges four men for their alleged roles in using Conti to infect hundreds of victims including the computer systems of a sheriff's department, a police department, and emergency medical services. If convicted, each of the four face up to 25 years behind bars.

And the third indictment, returned in southern sunny California, charges one man — Galochkin — with three counts of hacking computers and deploying Conti on a Scripps Health hospital. 

The ransomware infection caused the "impairment of the medical examination, diagnosis, treatment, and care of one or more individuals, a threat to public health and safety, and damage affecting 10 or more protected computers during a one-year period," according to prosecutors [PDF].

Galochkin faces a maximum penalty of 20 years in prison.

• US, UK slap sanctions on Russians linked to Conti, Ryuk, Trickbot malware
• Feds offer $10m reward for info on alleged Russian ransomware crim
• Feds offer $10m reward for info on alleged Russian ransomware crim
• Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel

Wizard Spider is the OG Russian crew behind the Trickbot malware, along with Conti and Ryuk, though the gang is more commonly known simply as Trickbot. It targets government agencies and private companies.

The Trickbot code was first spotted by security researchers in 2016, and it was a Windows software nasty that evolved from the Dyre banking trojan. Since then, it has grown into an entire malware suite that includes ransomware.

During the height of the COVID-19 pandemic in 2020, the bot's gang infected three Minnesota medical facilities with ransomware, locking staff out of their computers and phone networks, and forcing ambulances to be diverted to other hospitals.

Trickbot survived an attempted takedown in 2020 before reportedly shutting down its infrastructure in 2022. 

Conti, meanwhile, was used to infect more than 900 victims worldwide, including victims in 47 states, the District of Columbia, Puerto Rico, and 31 foreign countries, we're told. According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant, so far at least. ®