The Trickbot-Conti Ransomware Gang Has Been Sanctioned

The U.S. and U.K. announced sanctions against one Ukrainian national and six Russian nationals on Feb. 9, 2023, for their alleged involvement in Trickbot malware and Conti ransomware attacks. The action marks a continuing strategy to disrupt those involved in cybercrime and ransomware through prosecutions and sanctions. With the announcement, U.S. and U.K. authorities released the real names, birthdates, email addresses and handles used on underground forums of those who were sanctioned. The countries also say those named are “associated” with Russian intelligence services, a link that has long been suspected. The Trickbot gang is regarded as one of the most financially profitable cybercrime groups.

Intel 471 has tracked the handles of those now under sanction. What’s notable is the direct link between cybercriminal operations stretching back more than decade to ones that have caused recent harm. As others have observed, it’s a relatively small pool of criminals engaging in persistent malicious activity but who are unfortunately out of reach of law enforcement willing to take action.

[Image: Trickbot Conti Ransomware - The U.K.’s National Crime Agency published photographs of six of seven individuals sanctioned for allegedly participating in the Trickbot and Conti cybercrime operations.]

Trickbot: Gateway to Ransomware

Before ransomware’s reach began expanding in 2015, cybercriminals stole money from online bank accounts. To do that, they used banking malware that went by names including Dyre, GameOver Zeus and Zeus. Trickbot, which appeared in 2016, traces its lineage to Dyre. It became one of most pervasive types of banking malware for several years, infecting millions of computers. Victims were infected after clicking malicious links or attachments in spam emails. Like other types of banking malware, Trickbot could steal login credentials and then funnel those credentials to cybercriminals who would transfer money from the accounts.

Banking malware, however, fell out of favor not long after Trickbot appeared. Ransomware, which involves extorting victims after encrypting their files, became the preferred money-making tool. With that transition, Trickbot became an integral distribution mechanism due to its large footprint. Trickbot provided a pipeline of foothold infections that could be used to install ransomware strains such as Ryuk and Conti. Over time, however, researchers became better at tracking Trickbot, and anti-malware products improved detecting and removing it from computers. Trickbot was also targeted by Microsoft and U.S. Cyber Command in October 2020. Although that action did not completely eradicate the botnet, it made it harder for Trickbot’s operators. Eventually, another type of malware and botnet, Emotet - which we covered in depth here - surpassed it.

Trickbot Group: Underground Insight

Intel 471’s intelligence analysts have observed the personas sanctioned by authorities throughout the cyber underground for some time. Additional details include:

Vitaly Nikolayevich Kovalev, 34, of Russia

Handles: “Bentley,” “Ben,” “Benny” and “Alex Konor”

The U.S. and U.K. say he was a “senior figure within the Trickbot Group.” In addition to sanctioning him, U.S. prosecutors unsealed an indictment from 2012 that implicates him in the theft of US $950,000 from online bank accounts between 2009 and 2010. He’s also accused of coordinating with other people (known as “money mules”) to wire the money overseas.

Intel 471 has observed Bentley’s deep involvement in financial crime and eventually ransomware. Bentley was one of the principal members of GameOver Zeus, which was a type of banking malware and a botnet used to distribute the CryptoLocker ransomware. GameOver Zeus was disrupted by law enforcement in 2014. At that same time, prosecutors announced an indictment against GameOver Zeus’s administrator, Evgeniy Mikhailovich Bogachev, known on cybercrime forums as “slavik” and “lucky12345.” Conversations on an underground forum called Mazafaka point to slavik and Bentley having a working relationship and perhaps sharing the same handle (“Ferrari”) on the forum. Bogachev remains at large and on the FBI’s Cyber Most Wanted List.

Ivan Vasilyevich Vakhromeyev, 34, of Russia

Handles: “Mushroom” and “Mush”

Mushroom, who’s activity traces back to the earliest versions of ZeuS and then later GameOver Zeus, was once a principal customer of Bogachev. Mushroom was a principal developer and development manager of the BazarBackdoor, which was a backdoor distributed by Trickbot.

Maksim Sergeevich Mikhailov, 46, of Ukraine

Handles: “Baget,” “maxMS76” and “vnc”

Baget was the principal developer and project manager for Conti and Trickbot. Baget appears to have supervised ransomware development, including the Diavol ransomware, which the FBI linked to the Trickbot gang. Baget also has links to the BazarLoader malware. Baget’s real name was revealed in the Conti gang’s chat leak.

Valery Veniaminovich Sedletski, 48, of Russia

Handles: “Strix” and “valerius”

Strix appears to have been heavily involved in devops and infrastructure administration. Strix managed several other administrators and operated portions of the infrastructure. He also handled infrastructure-related operational expenses.

Outlook

• The imposition of sanctions against individuals accused of cybercrime has occurred before. The U.S. imposed sanctions in December 2019 against the Evil Corp group. This is the first time, however, that sanctions have been jointly levied by two countries against a cybercriminal group at the same time. One of the aims of national anti-ransomware action plans has been closer international cooperation. This shows that in practice.
• It’s illegal to send money to a sanctioned entity, and the U.S. government has sanctioned North Korean, Russian and Iranian cyber groups before. Evil Corp (believed to be Russia-based) was also involved in ransomware distribution, which posed complications for the group after it was sanctioned. In a June 2022 report, Mandiant wrote that Evil Corp changed its operations to evade sanctions and started using LockBit, a ransomware-as-a-service (RaaS) provider. Members and affiliates of ransomware gangs are known to join others when their operations are compromised, as we believe has occurred with individuals joining Black Basta, Quantum and Royal. If sanctioned individuals are part of those groups, victims may not pay for fear of violating sanctions. However, the U.K. and U.S. have released guidance clarifying their views on how sanctions would be enforced related to ransomware given the complexities of the crime. The reporting of a ransomware attack and ransom payment to the authorities would be considered a mitigating factor in whether a violation of sanctions incurs a penalty.
• U.S. prosecutors indicted Kovalev in 2012, but kept the indictment under seal for 11 years. One tactic to disrupt cybercrime and ransomware operations when the perpetrators are in jurisdictions that will not extradite is making it more difficult for those people to continue their activities. No charges or indictments were announced for the other individuals sanctioned. Nonetheless, travel would likely be legally risky now. Naming and shaming will have long-term effects.