Banking ransomware cybergang members sanctioned

Seven members of a prolific Russian cybergang known as Trickbot have been sanctioned thanks to a coordinated effort by US and UK authorities. 

According to the UK’s National Cyber Security Centre (NCSC), Trickbot is an “established banking trojan” used in many cyber attacks against businesses both in the UK and abroad. It is designed to gain access to online accounts, including bank accounts, in order to obtain personally identifiable information.

“In some cases, Trickbot is used to infiltrate a network. Once inside it can be used to deploy other malware, including ransomware and post-exploitation toolkits,” says the NCSC. “Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails will often contain an attachment (or link to an attachment) which victims are instructed to open, leading to their machine being exploited.”

According to figures from researchers at Chainalysis, the Russian cybergang extorted US$180m from ransomware victims in 2021 alone. 

The sanctioned individuals have had US assets frozen, travel bans imposed and are banned from making transactions in the US.

“Any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to US correspondent or payable-through account sanctions,” said the US Treasury.

The sanctions are the first of their kind for the UK and “signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies,” said Graeme Biggar, Director General of the National Crime Agency. “They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat.”

The sanctioned individuals are listed below (information taken from the US Department of the Treasury press release): 

Vitaly Kovalev was a senior figure within the Trickbot Group. Vitaly Kovalev is also known as the online monikers “Bentley” and “Ben”. Today, an indictment was unsealed in the US District Court for the District of New Jersey charging Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various US-based financial institutions that occurred in 2009 and 2010, predating his involvement in Dyre or the Trickbot Group.

Maksim Mikhailov has been involved in development activity for the Trickbot Group. Maksim Mikhailov is also known as the online moniker “Baget”.

Valentin Karyagin has been involved in the development of ransomware and other malware projects. Valentin Karyagin is also known as the online moniker “Globus”.

Mikhail Iskritskiy has worked on money-laundering and fraud projects for the Trickbot Group. Mikhail Iskritskiy is also known as the online moniker “Tropa”.

Dmitry Pleshevskiy worked on injecting malicious code into websites to steal victims’ credentials. Dmitry Pleshevskiy is also known as the online moniker “Iseldor”.

Ivan Vakhromeyev has worked for the Trickbot Group as a manager. Ivan Vakhromeyev is also known as the online moniker “Mushroom”.

Valery Sedletski has worked as an administrator for the Trickbot Group, including managing servers. Valery Sedletski is also known as the online moniker “Strix”.

For updated guidance on UK financial sanctions (cyber) click here