Ransomware, Breach, Content, Malware

U.S., U.K. Sanction Top Trickbot Members in Maneuver to Tie Up Assets

Cybercrime, piracy and data theft. Network security breach. Compromised computer showing skull and bones symbol. Digital 3D rendering concept.

The United States and the United Kingdom have sanctioned seven leading members of an infamous Russian hacking crew known as Trickbot in a maneuver to tie up their assets and prohibit Americans from engaging with them, U.S. Treasury Department officials said.

“The United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot,” Treasury said in a statement.

Current and past members of the Trickbot hacking group are said to be associated with Russian Intelligence Services.

U.S. and U.K. Join Forces

This action represents the first sanctions of their kind for the U.K., and results from a collaborative partnership between the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury to disrupt Russian cybercrime and ransomware, U.S. Treasury said.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” said Under Secretary Brian Nelson. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

Britain's National Crime Agency Director-General Graeme Biggar added:

"This is a hugely significant moment for the UK and our collaborative efforts with the U.S. to disrupt international cyber criminals.”

While the move is largely symbolic given U.S. sanctions already imposed on Russia, it could still have implications for cyber gangs trying to launder stolen money.

Two years ago, Microsoft, along with a group of security companies and a tandem effort by the U.S. Cyber Command, dealt the Trickbot operation a serious blow, slowing at least for a while, the ransomware distributor’s malware campaigns. Members of the Trickbot syndicate are said to have joined another ransomware group called Conti.

At the time, the highly targeted initiatives included disabling IP addresses, making the content stored on the command-and-control servers inaccessible, suspending all services to the botnet operators and blocking any effort by the Trickbot operators to purchase or lease additional servers. It was largely a pre-emptive strike against what U.S. officials expected would be an assault by Trickbot operatives to attack the 2020 presidential election with malware.

Microsoft’s work to dismantle Trickbot came on the heels of a quiet action by the U.S. Cyber Command to hack the hackers’ command and control servers around the world. Cyber Command’s and Microsoft’s moves were reportedly not part of a coordinated effort.

How Trickbot Operates

Trickbot is the primary delivery mechanism for the notorious ransomware variant Ryuk and a prime mover in the ransomware-as-a-service model. It first appeared in 2016 as a banking trojan designed to steal credentials. It was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files.

In addition to financial services companies, its ransomware victims include city governments, school districts, media outlets, medical facilities, businesses and state agencies. During the height of the pandemic, Trickbot locked up hundreds of hospitals in ransomware attacks.

Trickbot's Conspirators Revealed

These are the seven Trickbot conspirators:

  • Vitaly Kovalev was a senior figure within the Trickbot Group. He has been charged with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held in various U.S.-based financial institutions.
  • Maksim Mikhailov has been involved in development activity for the Trickbot Group.
  • Valentin Karyagin has been involved in the development of ransomware and other malware projects.
  • Mikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group.
  • Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials.
  • Ivan Vakhromeyev has worked for the Trickbot Group as a manager.
  • Valery Sedletski has worked as an administrator for the Trickbot Group, including managing servers.

Late last year, the Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre (ACSC) jointly compiled an advisory of the top malware strains for 2021.

The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MouseIland, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.

Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years and Qakbot and Ursnif for more than a decade.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.