The United Kingdom and United States on Thursday sanctioned seven people connected to a single network behind the Conti and Ryuk ransomware gangs as well as the Trickbot banking trojan.
Insiders describe the sanctions as the first major move by Western governments against the growing ransomware industry and say that further actions should be expected later this year.
The sanctions mean the individuals have their assets frozen and travel bans imposed, according to the British government, which said the sanctions were part of a “new campaign of concerted action” being coordinated with the United States.
At the same time the U.S. Department of Justice charged the hacker known as “Bentley” — alleged real name Vitaly Kovalev — with conspiracy to commit bank fraud and eight counts of bank fraud.
The individuals added to the consolidated list of financial sanctions targets are:
Vitaliy Kovalev, aka BentleyMikhail Isktritskiy, aka TropaValentin Karyagin, aka GlobusMaksim Michailov, aka BagetDmitry Pleshevskiy, aka IseldorValery Sedletski, aka StrixIvan Vakhromeyev, aka Ivanalert/Mushroom
The joint action is the first public attribution by Western governments formally linking the Conti and Ryuk ransomware gangs and the Trickbot banking trojan to a single criminal organization.
It follows the British Office of Financial Sanctions Implementation (OFSI) and the United States Office of Foreign Asset Control (OFAC) announcing an “enhanced partnership” last October amid increased sanctions addressing the Russian invasion of Ukraine.
It is the first time that OFSI has issued sanctions against a ransomware group amid a growing number of high-profile attacks in the country, potentially meaning that companies who make an extortion payment could be in breach of the law.
As the government warned: “Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions.”
Sources with knowledge of the government’s response to the ransomware crisis told The Record that the intention is not to re-victimize organizations that have been forced to make a payment due to the existential threat that the attacks had on their operations.
They note the sanctions purposefully target named individuals rather than the amorphous ransomware brands they work for, meaning the burden of proof to link an extortion payment to one of the sanctioned parties will be too high to prosecute.
In addition, the public guidance around the sanctions encourages companies to report the attacks and any payments to Action Fraud and OFSI as a mechanism to “de-risk,” insiders tell The Record, hopefully also helping to address a severe lack of visibility into the true scale of the criminal industry.
The guidance would be in-line with that issued by OFAC in 2010, which encourages victims to “fully cooperate with law enforcement” as a “significant mitigating factor” when it considers to penalize a business that has made a ransomware payment.
The seven criminals are all based in Russia, which constitutionally does not extradite its own citizens, making arrests by Western law enforcement extremely unlikely — even aside from the geopolitical climate following Russia’s invasion of Ukraine — although suspects are occasionally picked up when they travel abroad.
But naming the cybercriminals is meant to be an effective disruption, undermine their anonymity and add stress to any potential relationships between them and Russia’s Federal Security Service (FSB), particularly if the criminals were expected to have been providing bribes or kickbacks to corrupt FSB officials.
The move follows the FBI and Department of Justice announcing last month that they had infiltrated the Hive ransomware group and had been identifying victims and providing them with the decryption keys for around six months.
Among the more startling details to emerge from the Hive takedown was that only 20% of victims reported attacks to law enforcement, indicating the lack of visibility that law enforcement has on the scale of the criminal industry.
While a number of companies monitor the ransomware groups’ extortion sites for an indication of the numbers of victims that have been targeted, some insiders speculate that these public figures and private reports to law enforcement collectively constitute a single digit percentage of how many attacks in total are taking place.
These attacks can pose more than just a risk to the existence of the businesses they target, but in the case of critical infrastructure can actually endanger life. As of last November ransomware incidents made up the majority of the British government’s “Cobra” crisis management meetings.
Officials dealing directly with the ransomware issue previously told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.
They said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”
They believe that reports from companies such as Chainalysis — which claimed ransomware revenue fell by $300 million last year — are likely significantly overstated.
Chainalysis itself acknowledges its methodology was limited to cryptocurrency addresses known to be controlled by ransomware actors, but many ransomware groups use one-time addresses that the blockchain scanning companies cannot detect.