Britain and US make major move against ransomware gangs by sanctioning seven individuals

The United Kingdom and United States on Thursday sanctioned seven people connected to what officials have told The Record is a single network behind the Conti and Ryuk ransomware gangs as well as the Trickbot banking trojan.

The sanctions are described as the first major move of a “new campaign of concerted action” between Britain and the United States, and insiders say that further actions should be expected later this year.

The sanctions mean the individuals have their assets frozen and face travel bans, according to the British government.

In addition to the sanctions, the U.S. Department of Justice also charged the hacker known as “Bentley” — alleged real name Vitaly Kovalev — with conspiracy to commit bank fraud and eight counts of bank fraud.

The individuals added to the consolidated list of financial sanctions targets do not comprise the entirety of the network, although the operational reasons for sanctioning them and not others were not disclosed. They are:

• Vitaliy Kovalev, aka Bentley
• Mikhail Isktritskiy, aka Tropa
• Valentin Karyagin, aka Globus
• Maksim Michailov, aka Baget
• Dmitry Pleshevskiy, aka Iseldor
• Valery Sedletski, aka Strix
• Ivan Vakhromeyev, aka Ivanalert/Mushroom

The joint action is the first public attribution by Western governments formally linking the Conti and Ryuk ransomware gangs and the Trickbot banking trojan to a single criminal organization.

Thursday's actions follow announcement last October by the British Office of Financial Sanctions Implementation (OFSI) and the U.S. Treasury's Office of Foreign Assets Control (OFAC) of an “enhanced partnership” amid increased sanctions addressing the Russian invasion of Ukraine.

It is the first time that OFSI has issued sanctions against a ransomware group amid a growing number of high-profile attacks in the country, potentially meaning that companies who make an extortion payment could be in breach of the law.

As the U.K. government warned: “Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions.”

The Record has spoken to officials who say the British government has adopted a cautious approach to sanctioning ransomware gangs because of the fear that the sanctions might "re-victimize" targets by punishing them for paying a ransom.

There is no intention to prevent or punish businesses that are forced to make a payment in the face of an existential threat, they say.

The public guidance around the sanctions encourages companies to report the attacks and any payments to Action Fraud and OFSI as a mechanism to “de-risk,” insiders tell The Record, hopefully also helping to address a severe lack of visibility into the true scale of the criminal industry.

The guidance would be in-line with that issued by OFAC in 2010, which encourages victims to “fully cooperate with law enforcement” as a “significant mitigating factor” when it considers to penalize a business that has made a ransomware payment.

The sanctions purposefully target named individuals rather than the amorphous ransomware brands they work for, meaning the burden of proof to link an extortion payment to one of the sanctioned parties will be too high to prosecute.

Economic and personal impact

The seven criminals are all based in Russia, which constitutionally does not extradite its own citizens, making arrests by Western law enforcement extremely unlikely — even aside from the geopolitical climate following Russia’s invasion of Ukraine. Suspects are occasionally picked up when they travel abroad.

But naming the cybercriminals is meant to be an effective disruption, undermine their anonymity and add stress to any potential relationships between them and Russia’s Federal Security Service (FSB), particularly if the criminals were expected to have been providing bribes or kickbacks to corrupt FSB officials.

The U.K.’s National Cyber Security Centre — a part of signals and cyber intelligence agency GCHQ — assessed that it was “highly likely” that key group members "maintain links" to Russian intelligence services and "have likely received tasking,” from them.

“The targeting of certain organisations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives," the NCSC said.

It is also highly likely that "the group evolved from previous cyber organised crime groups and likely have extensive links to other cyber criminals, notably EvilCorp and those responsible for Ryuk ransomware,” the NCSC added.

In its announcement, OFAC referred to the overall cybercrime operation as the Trickbot Group, and said it is "associated with Russian Intelligence Services."

"The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services," OFAC said. "This included targeting the U.S. government and U.S. companies."

Don Smith, the vice president of research at Secureworks, noted that Trickbot leaders abandoned their botnet operations and the related malware family in early 2022 “in favor of other crimeware.”

The sanctions don’t mention the current ransomware schemes that the individuals are suspected of being involved in, he said. That choice gives “law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimizing the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions.”

Pushing back

The move follows the FBI and Department of Justice announcing last month that they had infiltrated the Hive ransomware group and had been identifying victims and providing them with the decryption keys for around six months.

Among the more startling details to emerge from the Hive takedown was that only 20% of victims reported attacks to law enforcement, indicating the lack of visibility that law enforcement has on the scale of the criminal industry.

While a number of companies monitor the ransomware groups’ extortion sites for an indication of the numbers of victims that have been targeted, some insiders speculate that these public figures and private reports to law enforcement collectively constitute a single digit percentage of how many attacks in total are taking place.

These attacks can pose more than just a risk to the existence of the businesses they target, but in the case of critical infrastructure can actually endanger life. As of last November ransomware incidents made up the majority of the British government’s “Cobra” crisis management meetings.

Since then further high-profile targets in the U.K. — including The Guardian newspaper and Royal Mail — have confirmed being impacted by ransomware incidents.

Officials dealing directly with the ransomware issue previously told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.

They said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”

They believe that reports from companies such as Chainalysis — which claimed ransomware revenue fell by $300 million last year — are likely significantly overstated. 

Chainalysis itself acknowledges its methodology was limited to cryptocurrency addresses known to be controlled by ransomware actors, but many ransomware groups use one-time addresses that the blockchain scanning companies cannot detect.