The United States and the United Kingdom have sanctioned 11 individuals who are part of the Russia-based Trickbot and Conti cybercrime gangs, the U.S. Department of the Treasury said Thursday.
The sanctions mean that any U.S. and U.K. organizations that send a ransom payment to any of the designated people following a ransomware attack “may themselves be” sanctions, according to Treasury. Furthermore, any property or interests in property of any of the 11 people must be blocked and reported to the Treasury’s Office of Foreign Assets Control (OFAC).
Banks may also be on the hook if they knowingly transfer a large transaction or provide significant financial services to the 11 individuals or entities.
Meanwhile, the Department of Justice is concurrently unsealing indictments against nine individuals, seven of whom fall under the sanctions, connected to the Trickbot malware and Conti ransomware cybercrime schemes.
“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian Nelson.
The 11 sanctioned individuals span senior and junior members of the organizations, including people who worked as managers and recruiters, as well as developers and coders “who have materially assisted the Trickbot group in its operations.”
The agency said the cybercrime group has targeted the U.S. government, companies, and hospitals. They were most active during the COVID-19 pandemic, targeting many critical infrastructure and health care providers in the United States.
According to the UK’s National Crime Agency, the cybercrime gang has extorted around $180 million from victims all over the world, and at least 29 million GBP from people in the U.K.
“These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims,” said U.K. Foreign Secretary James Cleverly. “Our sanctions show they cannot act with impunity. We know who they are and what they are doing.”
The cybercriminals were responsible for a 2020 ransomware attack that disrupted the computer networks and telephones of three Minnesota medical facilities, causing a diversion of ambulances.
In one instance, the Trickbot group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which ransoms had been paid to the group. Members of the Trickbot group are associated with Russian intelligence services.
“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian Nelson in a statement. “In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”
The sanctions are part of an ongoing collaboration between the United States and the U.K. to disrupt Russian cybercrime and ransomware. Earlier this year, Washington and London sanctioned their first group of seven Trickbot members for their alleged roles in launching attacks on hospitals and government institutions.
Trickbot originated in 2014 with the creation of the Dyre online banking trojan malware and evolved from Dyre in 2016 to become malware and also the name of the cybercriminal group consisting largely of individuals located in Moscow.
The group specializes in targeting non-Russian individuals, businesses, and financial institutions and has created a modular malware suite that allows it to conduct an array of illegal activities.
The Trickbot trojan malware has infected millions of victim computers around the world, including those of U.S. companies and individuals. Since its inception, it has evolved into a highly modular malware suite that provides the Trickbot group the ability to conduct a variety of malicious cyber activities, including ransomware.