U.S. and U.K. law enforcement have sanctioned 11 individuals associated with the Russia-linked Trickbot cyber crew, U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the British Foreign Office report.
The U.S. Department of Justice (DOJ) has simultaneously unsealed indictments against nine individuals in connection with the Trickbot malware and Conti ransomware, including seven of the newly indicted persons.
Sanctioned cyber gang members include Trickbot actors involved in management and procurement, namely administrators, managers, developers and coders who have materially assisted the Trickbot group in its operations. In total, the joint U.S. and U.K. operations have sanctioned 18 Trickbot members. Last February, the two countries collaborated to impose sanctions on seven members of the group.
Trickbot's Russian Connection
Trickbot is believed to be tied to Russian intelligence services and has targeted U.S. government and private industry. In particular, during the COVID-19 pandemic Trickbot targeted many U.S. critical infrastructure and health care providers. The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services, U.S. and U.K cyber intelligence officials said.
Trickbot is said to have extorted some $180 million from victims globally, and at least £27 million from 149 UK victims.
“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian Nelson. “In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”
British Foreign Secretary James Cleverly explained that the move was an attempt to Trickbot's business model and strip them of their anonymity.
“These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims," he said. "Our sanctions show they cannot act with impunity. We know who they are and what they are doing.”
Impact of the Sanctions
By and large, material sanctions don’t carry much weight, especially considering that the U.S. has already sanctioned Russia. However, officials said it will make laundering money more challenging for the named gang members. British officials said that naming the alleged perpetrators will make it harder for them to hide behind “online pseudonyms and monikers,” many of which have now been revealed.
Two years ago, Microsoft, along with a group of security companies and a tandem effort by the U.S. Cyber Command, dealt the Trickbot operation a serious blow, slowing at least for a while, the ransomware distributor’s malware campaigns. Members of the Trickbot syndicate are said to have joined another ransomware group called Conti.
At the time, the highly targeted initiatives included disabling IP addresses, making the content stored on the command-and-control servers inaccessible, suspending all services to the botnet operators and blocking any effort by the Trickbot operators to purchase or lease additional servers. It was largely a preemptive strike against what U.S. officials expected would be an assault by Trickbot operatives to attack the 2020 presidential election with malware.
Trickbot is the primary delivery mechanism for the notorious ransomware variant Ryuk and a prime mover in the ransomware-as-a-service model. It first appeared in 2016 as a banking trojan designed to steal credentials. It was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files.