US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot

Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.

Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.

Authorities Published Hackers’ Personal Data

What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.

What is the Conti/TrickBot group?

As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.

QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.

Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.

Are sanctions seriously threatening hackers?

Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.

The post NCA and DoJ Introduce New Sanctions Against Conti/Trickbot Hackers appeared first on Gridinsoft Blog.

TrickBot Members Sanctioned

On February 9, 2023, the US Department of the Treasury reported about sanctions laid upon 7 Russian citizens, allegedly related to the activity TrickBot malware. This advanced trojan consistently targeted numerous companies and government organisations around the world, leading to disruptions and money losses. This honourless gang is known for attacking hospitals and healthcare centres during the first COVID-19 outbreaks back in 2020. Despite Russia utterly ignoring internationally-wanted cybercriminals under her jurisdiction, it is still feasible to strike back.

Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime. — Under Secretary Brian E. Nelson.

List of sanctioned persons:

U.S. law enforcements claimed the confiscation of any property that belongs to the designated individuals and is located under US control. Additionally, these sanctions suppose secondary sanctions to any financial organisation that will knowingly provide services to mentioned persons. Paying money to these threat actors is considered sponsoring the crime, and thus is outlaw. It is both about bank and cryptocurrency transfers, willingly or after the ransomware attack.¹

What is TrickBot malware?

TrickBot is a banking trojan, that carries capabilities of injecting other malware into the system, i.e. acting as a malware dropper. Appearing back in 2016, it started as a banking stealer – a malware type that aims precisely at banking credentials. With time, it evolved into a modular malware that acts mostly as a delivery infrastructure for other malware, particularly Conti and Ryuk ransomware. Nonetheless, it did not lose its original functionality, thus being able to both wreak havoc with ransomware and pickpocket in its own, stealer’s fashion.

Massive attacks scale, together with targeting critical infrastructure and government organisations, expectedly brought an ill-fame halo around this gang. They became wanted by law enforcements in numerous countries around the world, but as we mentioned above, Russia never hastened with giving up their hackers, excepting rare cases. Meanwhile, feeling their impunity, the TrickBot group together with their “partners” turned even more aggressive. Obviously, sanctions will not stop these crooks from doing dirty deeds but will create a lot of problems with money laundering and overall transactions with the dirty money they have.

The post TrickBot Members Sanctioned By U.S. and UK appeared first on Gridinsoft Blog.