Seven Russian ransomware criminals sanctioned in joint UK/US crackdown on international cybercrime

It follows a lengthy investigation by the National Crime Agency (NCA) into the crime group behind Trickbot malware, as well as the Conti and Ryuk ransomware strains, among others.

The NCA assesses that the group was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities, although their true impact is likely to be much higher.

The sanctions, a first for the UK, were confirmed on Thursday (February 9) by the Foreign, Commonwealth and Development Office alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). They form part of a concerted campaign by the UK and the US to tackle international cybercrime.

The seven cyber criminals will now be subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system.

NCA Director-General Graeme Biggar said: “This is a hugely significant moment for the UK and our collaborative efforts with OFAC to disrupt international cyber criminals.

“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.

“This is an excellent example of the dedication and expertise of the NCA team who have worked closely with partners on this complex investigation.

“We will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.”

Ransomware is a tier one national security threat, with attacks continuing to increase in scale and complexity. The NCA says criminals behind these attacks specifically target the systems of organisations they judge will pay them the most money and time their attacks to cause maximum damage, including targeting hospitals in the middle of the pandemic.

Although the Conti group disbanded last year, reporting suggests its members, including those sanctioned, continue to be involved in some of the most notorious new ransomware strains that dominate and threaten UK security.

Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of Trickbot, Anchor, BazarLoader, BazarBackdoor, as well as the ransomware strains Conti and Diavol. They are also involved in the deployment of Ryuk ransomware.

There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid around £17 million.

Foreign Secretary James Cleverly said: “By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.

“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.”

An indictment was ‘unsealed’ on Thursday in the US District Court for the District of New Jersey charging one of the individuals, Vitaliy Kovalev, with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various US-based financial institutions that occurred in 2009 and 2010.

This alleged offending predates that of the Conti group.

According to research from Chainalysis, the group extorted $180 million from global ransomware victims in 2021 alone.

Recent victims in the UK include the Scottish Environment Protection Agency, food distribution firm Reed Boardall, Redcar and Cleveland Council, and forensic laboratory Eurofins.

Internationally, the Irish Health Service Executive, Costa Rican Government and American healthcare providers were targeted.

Security Minister Tom Tugendhat said: “We’re targeting cyber criminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, hurt many and disrupted lives, at great expense to the taxpayer.

“Cybercrime knows no boundaries and threatens our national security. These sanctions identify and expose those responsible.”

The NCA says the Russian State provides a “permissive environment” for ransomware actors to operate by neglecting their responsibility to investigate and disrupt such groups and, in some instances, by actively supporting these groups in their criminal endeavours.

The National Cyber Security Centre (NCSC) assessed that key members of the Conti group “highly likely” maintain links to the Russian Intelligence Services from which they have likely received tasking.

The targeting of certain organisations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives, it added.

The group was one of the first cybercrime groups to back Russia’s war in Ukraine, voicing its support for the Kremlin within 24 hours of the invasion.

NCSC chief executive officer Lindy Cameron said: “Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be.

“The NCSC is working with partners to bear down on ransomware attacks and those responsible, helping to prevent incidents and improve our collective resilience.

“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”

The UK’s Office of Financial Sanctions Implementation is also publishing new public guidance that sets out the implications of these new sanctions in ransomware cases.