On Thursday (7th September), the US and the UK announced sanctions and three indictments against eleven Russian nationals who are all alleged members of the TrickBot and Conti ransomware operations.
The sanctions in the US came from the Department of the Treasury’s Office of Foreign Assets Control (OFAC), whereas the ones from the UK came from the National Crime Agency (NCA).
The names of those sanctioned are:
- Andrey Zhuykov – a central actor in the group and a senior administrator. Known by the online monikers “Defender”, “Dif” and “Adam”.
- Maksim Galochkin – led a group of testers, with responsibilities for development, supervision and implementation of tests. Known by the online monikers “Bentley”, “Volhvb” and “Max17”
- Maksim Rudenskiy – a key member of the Trickbot group and was the team lead for coders. Known by the online monikers “Buza”, “Silver” and “Binman”.
- Mikhail Tsarev – a mid-level manager who assisted with the group’s finances and overseeing of HR functions. Known by the online monikers “Mango”, “Frances” and “Khano”.
- Dmitry Putilin – was associated with the purchase of Trickbot infrastructure. Known by the online monikers “Grad” and “Staff”.
- Maksim Khaliullin – an HR manager for the group. He was associated with the purchase of Trickbot infrastructure including procuring Virtual Private Servers (VPS). Known by the online moniker “Kagas”.
- Sergey Loguntsov – a developer for the group. Known by the online monikers “Begemot”, “Begemot_Sun” and “Zulas”.
- Alexander Mozhaev – part of the admin team responsible for general administration duties. Known by the online monikers “Green” and “Rocco”.
- Vadym Valiakhmetov – worked as a coder and his duties included backdoor and loader projects. Known by the online monikers “Weldon”, “Mentos” and “Vasm”.
- Artem Kurov – worked as a coder with development duties in the Trickbot group. Known by the online moniker “Naned”.
- Mikhail Chernov – part of the internal utilities group. Known by the online monikers “Bullet” and “m2686”.
Conti & TrickBot
Trickbot, which was taken offline by the FBI in 2022, was a suite of malware tools designed to steal money and facilitate the installation of ransomware.
Launched in 2015 as an evolution of the Dyre trojan, TrickBot initially focused on stealing banking credentials. However, over time, it developed into a modular malware utility that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, the Conti ransomware operations.
During the COVID-19 pandemic in 2020, the Trickbot group launched a series of ransomware disruptions against hospitals and other healthcare centers across the globe, targeting many institutions in the US.
The Conti ransomware gang took control of the TrickBot operation and used it to enhance more advanced and stealthy malware, such as BazarBackdoor and
Anchor.
“These sanctions are a continuation of our campaign against international cyber criminals.
“Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
“These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.”
ROb Jones – NCA Director General of Operations