GovWire

• Sanctions hit eleven from Russian cyber gang that targeted hospitals and other critical infrastructure
• Sanctions will disrupt ransomware attacks and expose attackers behind them
• New measures delivered in coordinated effort with the United States

Members of a Russiancybercriminalgang behind the Trickbot/Contiransomware attacks, which included the hacking of critical infrastructure and hospitals during the COVID-19 pandemic,face new sanctions today (7 September).

Eleven cybercriminals, whose gang also threatened those who oppose the illegal Russian invasion of Ukraine, have beentargetedwith asset freezes and travel bans in a coordinated effort by UK and US authoritiesto counter the threat of ransomware bothin the UK andabroad. The US Department of Justice (DOJ) is concurrently unsealing indictments against seven of the individuals designated today.

The National Crime Agency (NCA), who conducted a complex investigation into these individuals, assesses that the group was responsible for extorting at least $180m from victims globally, and at least 27m from 149 UK victims. The attackers sought to target UK hospitals, schools, local authorities and businesses.

The individuals being designatedin the UK are:

• Andrey Zhuykov was a central actor in thegroup and a senior administrator. Known bythe online monikers Defender,Dif and Adam.
• Maksim Galochkin led a group of testers, with responsibilities for development, supervisionand implementation of tests. Known bythe online monikers Bentley,Volhvb and Max17
• Maksim Rudenskiy was a key member of the Trickbotgroup and was the team lead for coders. Known bythe online monikers Buza,Silver and Binman.
• Mikhail Tsarev was a mid-level manager who assistedwith thegroups finances and overseeing of HR functions. Known bythe online monikers Mango,Fr*ances and Khano.
• Dmitry Putilin was associated with the purchase of Trickbotinfrastructure. Known bythe online monikers Grad and Staff.
• Maksim Khaliullin was an HR manager for thegroup. He was associated with the purchase of Trickbotinfrastructure including procuring Virtual Private Servers (VPS). Known bythe online moniker Kagas.
• Sergey Loguntsov was a developer for thegroup. Known bythe online monikers Begemot,Begemot_Sun and Zulas.
• Alexander Mozhaev was part of the admin team responsible for general administration duties. Known bythe online monikers Green and Rocco.
• Vadym Valiakhmetov worked as a coder and his duties included backdoor and loader projects. Known bythe online monikers Weldon,Mentos and Vasm.
• Artem Kurov worked as a coder with development duties in the Trickbotgroup. Known bythe online moniker Naned.
• Mikhail Chernov was part of the internal utilities group. Known bythe online monikers Bullet and m2686.

This action was taken in coordination with the US, where these key cybercriminals have also been sanctioned,and is a continuation of joint efforts by the UK and US to disrupt and impose costs on high harm cyber criminals. It is assessed that sanctions have hampered the ability of cyber threat actors to monetise their cyber criminalactivities.

Foreign Secretary James Cleverly said:

These cybercriminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims.

Our sanctions show they cannot act with impunity. We know who they are and what they are doing.

By exposing their identities, we are disruptingtheir business models andmaking it harder for them to target our people, our businesses and our institutions.

The individuals, all Russian nationals, operatedout of the reach of traditional law enforcement and hid behind online pseudonyms and monikers many of which are revealed today. Removing their anonymity undermines the integrity of these individuals and their criminal businesses that threaten UK security.

Several of those facing sanctions today held significant roles within thegroup. Those targeted includehigh-level managers and administrators, as well astwoindividuals, Maksim Khaliullinand Mikhail Tsarev, who focused on recruiting and inducting new members.

Thegroup was also one of the first to offer support for Russias invasion of Ukraine, maintaininglinks and receiving tasking from the Russian Intelligence Services.

Deputy Prime Minister and Secretary of State in the Cabinet Office Oliver Dowden said:

By targeting these malicious cyber actors, who have been known to work with some of the most damaging ransomware strains, we are seeking out and exposing those who threaten the UKs national security.We will alwaystake decisive action with international partners to protect the UK, its peopleand businesses.

Security Minister Tom Tugendhat said:

These sanctions demonstratethat the UK will crackdown on those trying to hold UK businesses and infrastructureto ransom. We will use our law enforcement agencies to go after the perpetrators and punish their crimes.

We have the skills and resources to find and unmask criminals who attemptto steal from British businesses, schoolsand hospitals.

We will keep working with our partners, like the US, to defeat these threats.

NCA Director General of Operations Rob Jones said:

These sanctions are a continuation of our campaign against international cyber criminals.

Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.

These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.

NCSC CEO Lindy Cameron said:

Alongside this latest round of sanctions, I strongly encourage organisations to proactively obstruct the activities of ransomware operatives by bolstering their online resilience.

Ransomware continues to be a significant threat facing the UK and attacks can have significant and far-reaching impact.

The NCSC has published free and actionable advice for organisations of all sizes on how to put robust defences in place to protect their networks.

Todays sanctions announcement reinforces the UKs commitment to cracking down on cyber criminals. They follow on from the first ever joint UK-US sanctions against ransomware actors in February this year. The total number of group members sanctioned is now 18.

Notes to Editors

• If you are the victim of a ransomware attack, you should use the UK Governments Cyber Incident Signposting Site as soon as possible for direction on which agencies to report your incident to.
• The Office of Financial Sanctions Implementation has published guidance, which sets out the implications of sanctions in ransomware cases.
• Making funds available to the individuals such as paying ransoms, including in cryptoassets, is prohibited under these sanctions.
• Organisations should have or should put in place robust cyber security and incident management systems in place to prevent and manage serious cyber incidents.
• The FCDO announced the first wave of sanctions and the launch of the UK-US campaign of coordinated action against ransomware actors on 09 February 2023
• As announced on 29 August 2023, an international operation, led by the FBI and involving the NCA, took down the Qakbot malware, which infected more than 700,000 computers globally, including the UK. The Qakbot malware was a key enabler for facilitating ransomware attacks and was utilised in Conti operations. Todays designation by the UK and US of further individuals involved in Conti/Trickbot represents the continued efforts to target and disrupt high harm ransomware actors.