Sanctions Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:15:03 +0000 en-US hourly 1 https://wordpress.org/?v=87331 200474804 NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers https://gridinsoft.com/blogs/conti-trickbot-hackers-sanctions/ https://gridinsoft.com/blogs/conti-trickbot-hackers-sanctions/#respond Thu, 07 Sep 2023 20:02:57 +0000 https://gridinsoft.com/blogs/?p=16801 On September 7, 2023, NCA released a statement regarding the new complex pack of sanctions against Russian Conti cybercrime group members. Accused of participating in extortions worth $800 million, gang members have now lost any property and equity under the US and UK jurisdiction. US and UK Authorities Uncover 11 More Russian Hackers Related to… Continue reading NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

]]>
On September 7, 2023, NCA released a statement regarding the new complex pack of sanctions against Russian Conti cybercrime group members. Accused of participating in extortions worth $800 million, gang members have now lost any property and equity under the US and UK jurisdiction.

US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Conti/Trickbot Sanctioned
Collection of mugshots of sanctioned hackers, published by the NCA

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

These sanctions are a continuation of our campaign against international cyber criminals.
Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.NCA Director General of Operations Rob Jones

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

Name Online Nicknames Position
Dmitry Putilin Grad, Staff Participated in Trickbot infrastructure purchases
Artem Kurov Naned One of the Trickbot developers
Maksim Galochkin Bentley, Max17, Volhvb Lead of the testers team, also responsible for actual development and supervision
Mikhail Tsarev Frances, Mango, Khano Mid-tier manager, responsible for money flows; also touched HR functions
Alexander Mozhaev Green, Rocco Part of the group administration
Maksim Rudenskiy Buza, Binman, Silver Lead of Trickbot’s developers team
Andrey Zhuykov Adam, Defender, Dif One of the major administrators in the cybercrime gang
Sergey Loguntsov Begemot_Sun, Begemot, Zulas Member of the development team
Mikhail Chernov m2686, Bullet Part of the group’s internal utilities
Vadym Valiakhmetov Weldon, Mentos, Vasm Part of the development team, responsible for backdoors and loaders
Maksim Khaliullin Kagas Chief HR manager of the group. Responsible for purchasing VPSs for TrickBot infrastructure.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

Conti infection chain

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/conti-trickbot-hackers-sanctions/feed/ 0 16801
TrickBot Members Sanctioned By U.S. and UK https://gridinsoft.com/blogs/trickbot-members-sanctioned/ https://gridinsoft.com/blogs/trickbot-members-sanctioned/#respond Thu, 09 Feb 2023 20:20:52 +0000 https://gridinsoft.com/blogs/?p=13342 US and UK law enforcements imposed sanctions against 7 members of a cybercrime gang that stands after TrickBot malware, including top management. Cooperation between the U.S. The Department of Treasury and U.K Foreign, Commonwealth and Development office ended up identifying the personality of key actors of this malware gang. Sanctions brought serious restrictions upon financial… Continue reading TrickBot Members Sanctioned By U.S. and UK

The post TrickBot Members Sanctioned By U.S. and UK appeared first on Gridinsoft Blog.

]]>
US and UK law enforcements imposed sanctions against 7 members of a cybercrime gang that stands after TrickBot malware, including top management. Cooperation between the U.S. The Department of Treasury and U.K Foreign, Commonwealth and Development office ended up identifying the personality of key actors of this malware gang. Sanctions brought serious restrictions upon financial operations for all persons involved.

TrickBot Members Sanctioned

On February 9, 2023, the US Department of the Treasury reported about sanctions laid upon 7 Russian citizens, allegedly related to the activity TrickBot malware. This advanced trojan consistently targeted numerous companies and government organisations around the world, leading to disruptions and money losses. This honourless gang is known for attacking hospitals and healthcare centres during the first COVID-19 outbreaks back in 2020. Despite Russia utterly ignoring internationally-wanted cybercriminals under her jurisdiction, it is still feasible to strike back.

Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime. — Under Secretary Brian E. Nelson.

List of sanctioned persons:

Vitaly Kovalev Key person of the TrickBot group, a.k.a. “Bentley” or “Ben” on different online forums. Managed attacks upon US financial institutions back in 2009, thus is accused of bank fraud and a series of breaks into bank accounts of malware victims.
Valery Sedletski Gang administrator, in charge of server management. Uses the nickname “Strix”.
Ivan Vakhromeyev Team manager in TrickBot. Uses the nickname “Mushroom”.
Valentin Karyagin Developer of the ransomware payload carried by TrickBot. Uses “Globus” nickname.
Mikhail Iskritsky Key person in money laundering schemes used by the gang. Known online as “Tropa”.
Maksim Mikhailov Main payload developer. Active online under the nickname of “Baget”
Dmitry Pleshevskiy Is in charge of malware injection to the websites that precede money stealing. Uses the nickname “Iseldor” to communicate online.

U.S. law enforcements claimed the confiscation of any property that belongs to the designated individuals and is located under US control. Additionally, these sanctions suppose secondary sanctions to any financial organisation that will knowingly provide services to mentioned persons. Paying money to these threat actors is considered sponsoring the crime, and thus is outlaw. It is both about bank and cryptocurrency transfers, willingly or after the ransomware attack.1

What is TrickBot malware?

TrickBot is a banking trojan, that carries capabilities of injecting other malware into the system, i.e. acting as a malware dropper. Appearing back in 2016, it started as a banking stealer – a malware type that aims precisely at banking credentials. With time, it evolved into a modular malware that acts mostly as a delivery infrastructure for other malware, particularly Conti and Ryuk ransomware. Nonetheless, it did not lose its original functionality, thus being able to both wreak havoc with ransomware and pickpocket in its own, stealer’s fashion.

Massive attacks scale, together with targeting critical infrastructure and government organisations, expectedly brought an ill-fame halo around this gang. They became wanted by law enforcements in numerous countries around the world, but as we mentioned above, Russia never hastened with giving up their hackers, excepting rare cases. Meanwhile, feeling their impunity, the TrickBot group together with their “partners” turned even more aggressive. Obviously, sanctions will not stop these crooks from doing dirty deeds but will create a lot of problems with money laundering and overall transactions with the dirty money they have.

The post TrickBot Members Sanctioned By U.S. and UK appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trickbot-members-sanctioned/feed/ 0 13342