Getty Images

U.S., U.K. hit TrickBot cybercrime gang with sanctions

TrickBot malware has caused considerable damage to U.S. organizations, particularly in the healthcare industry, and was used in Conti and Ryuk ransomware attacks.

U.S. and U.K. authorities sanctioned seven alleged members of the TrickBot cybercriminal group, who also have ties to Russian intelligence services.

The U.S. Department of the Treasury Thursday announced the joint sanctions and detailed the coordinated effort with the British government. Active since 2016, TrickBot malware is used to deploy ransomware and has infected more than 140,000 machines between 2020 and 2022 alone. The banking Trojan has been used in both Conti and Ryuk ransomware group operations.

In addition to their alleged involvement with TrickBot, "current members" of the group are associated with Russian government intelligence services. "The Trickbot Group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services," the Treasury Department said in the press release. "This included targeting the U.S. government and U.S. companies."

This is not the first law enforcement action against an alleged TrickBot member; developer Alla Witte was indicted in 2021 for her alleged involvement with the cybercrime group. However, Thursday's announcement is the "very first sanctions of their kind for the U.K.," according to the Treasury Department. As a result, businesses or individuals who work with any sanctioned TrickBot members could face legal consequences.

The Treasury Department also emphasized a surge in TrickBot activity during the pandemic. The threat grew so significantly that it led to Microsoft taking legal action to disrupt 94% of TrickBot infrastructure in October 2020. However, the takedown only had a temporary effect.

TrickBot targets included critical infrastructure, hospitals and other healthcare organizations. In 2020, law enforcement agencies in both the U.S. and U.K. issued advisories to the healthcare sector, warning of increased TrickBot attacks.

TrickBot members

The names and aliases of seven alleged members associated with Russian intelligence were listed in the press release. The roles of each accused member ranged from money laundering to the development of TrickBot, ransomware and other malware.

Vitaly Kovalev, who goes by the online aliases "Bentley" and "Ben," is accused of being a senior TrickBot figure. The Treasury Department also announced that an indictment in the U.S. District Court for the District of New Jersey, unsealed Thursday, charged Kovalev with conspiracy to commit bank fraud, including "a series of intrusions into victim bank accounts held at various U.S.-based financial institutions" in 2009 and 2010, prior to his alleged involvement with TrickBot.

Maksim Mikhailov, also known as "Baget," is accused of TrickBot development.

Valentin Karyagin, whose online moniker is "Globus," is allegedly involved in the development of ransomware and other malware projects.

Mikhail Iskritskiy, who hides behind the alias "Tropa," allegedly worked on money laundering and other fraud projects for the TrickBot group.

Dmitry Pleshevskiy, also known as "Iseldor," is accused of deploying malicious code for credential theft. In 2019, Cybereason detailed a "triple threat" campaign involving credential theft that combined Emotet, TrickBot and Ryuk ransomware.

Ivan Vakhromeyev is accused of working as a TrickBot manager. His alias is "Mushroom."

Finally, Valery Sedletski, otherwise known as "Strix," allegedly worked as administrator, managing TrickBot servers.

This is the latest in a series of law enforcement-imposed sanctions and arrests designed to make it harder for cybercriminal groups to make money from attacks against U.S.-based organizations.

Multiple cryptocurrency exchanges and mixers, including Garantex and Tornado Cash, have been sanctioned over the past two years to increase the consequences of paying ransom demands.

Last month, U.S. authorities arrested another alleged cybercriminal with Russian ties -- Anatoly Legkodymov, the founder of Bitzlato, a China-based cryptocurrency exchange accused of laundering $700 million worth of illicit funds. The indictment alleged a connection to ransomware payments and Hydra Market, a Russian dark web marketplace used to obscure a variety of illegal activities.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threat detection and response