Threat Management, Governance, Risk and Compliance

US, UK sanction seven members of Trickbot cybercrime gang

U.S. Treasury Secretary Janet Yellen

Correction: a previous version of this story and headline named all seven sanctioned members as Russian nationals. Six were born in Russia, while one was born in Ukraine. SC Media regrets the error.

The U.S. and UK governments took aim at the notorious Trickbot gang Thursday, slapping economic sanctions on six Russians and one Ukrainian they say are “associated” with Russian intelligence services, and whose preparations and targeting of U.S. governments and companies in 2020 allegedly closely mirrored the targeting and larger objectives of the Russian government’s.

In a joint move, the U.S. Department of the Treasury, as well as the UK’s Treasury office, the Foreign, Commonwealth and Development Office, and the National Crime Agency levied economic penalties on the seven individuals that would freeze any assets they may have in the two countries and bar them from doing business with American or UK residents and businesses.

All of the named individuals were deeply involved in Trickbot’s cybercrime operations, including developing malware or ransomware, hacking into victim websites, managing infrastructure or overseeing money laundering operations for the group, according to the two governments. The announcement even includes the nicknames and monikers that each operator — all Russian-born — uses online, their email addresses and dates of birth.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Brian E. Nelson, U.S. under secretary for the Treasury for terrorism and financial Intelligence said in a statement. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

Russian government coordinating Trickbot's expansion of operations?

For years, Trickbot made its name as a popular banking trojan, as well as a larger cybercrime syndicate. In more recent years, the group evolved into a “highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” according to the U.S. Cybersecurity and Infrastructure Security Agency.

The sanctions reflect the decentralized structure that exists between different ransomware and cybercrime groups, where individual hackers can often moonlight for different financial or state-backed hacking outfits and "membership" to any one group is often akin to a contractor relationship.

Adam Meyers, head of intelligence at CrowdStrike, described the indicted members as part of a group they track under the moniker "Wizard Spider," which he described as "a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools" and whose members have been involved in the operations of TrickBot, Conti and Ryuk

Last year, leaks exposing Trickbot revealed not only Russia's involvement with its members but also the location where the operation is based, members' designation within the organization and commercial world, and reasons for membership in the operation, according to a June 2022 Cyjax report.

The group’s expansion of operations includes increasing involvement in ransomware (the group was blamed for a wave of attacks against U.S. hospitals in 2020) as well as newer campaigns that seemingly reveal close coordination with the wartime goals of the Russian government.

Last year, IBM’s X-Force security team found that between mid-April and mid-June, Trickbot and the Conti ransomware gang had been “been systematically attacking Ukraine since the Russian invasion,” with at least six distinct hacking campaigns leveraging a variety of malware strains.

The link was notable because Trickbot previously did not have a meaningful footprint in the country prior to the invasion and previous versions of their malware configured to avoid Ukrainian-language systems and devices, the researchers said.

The moves represent the first British sanctions levied on a ransomware group, and the UK announcement also mentions the individuals in connection with other ransomware operations, like Ryuk and Conti.

Foreign Secretary James Cleverly named these groups as being responsible for causing untold damages to critical infrastructure, businesses and individual victims around the world.

“These cynical cyberattacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organized crime — whatever its form and wherever it originates,” Cleverly said.

Sanctions on Russian hackers viewed as ineffective

The group has taken hits before in the past — most notably when Microsoft obtained a court order in 2020 that allowed them to disrupt servers and infrastructure that allowed Trickbot operators to communicate with infected devices around the world — only to reemerge later and resume operations.

"While WIZARD SPIDER’s operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary’s operations while they look for ways to circumvent the sanctions," said Meyers. "Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name.”

Levying economic sanctions on Russian hackers is widely viewed as ineffective since they live and operate in a country that has no extradition treaty with the U.S. or UK and where there is significant evidence that they maintain a real — if often informal — symbiotic relationship with Russian intelligence services.

While Russian President Vladimir Putin’s government briefly appeared to take a harder line by arresting members of the REvil ransomware gang last year, the moves were widely viewed as an attempt to entice U.S. and Western governments to avoid openly opposing Russia’s invasion of Ukraine or sending Kyiv military and financial support.  

“The fact of the matter is that the U.S. government has passed on information to the Russians [about these actors] months ago and the fact is we’re only seeing them act on it in the midst of these serious questions around a potential Ukraine invasion, threats of various severe sanctions against the Russian economy and the counterthreat of Putin to break off diplomatic relations,” Dmitri Alperovitch, the former founder of CrowdStrike who now runs the Silverado Policy Accelerator, told SC Media in the run up to the invasion.

For U.S. and UK businesses, the designations will make it significantly more difficult to pay ransom demands if they are hit by the group, since doing so would technically violate those same economic sanctions. Both governments have developed guidance to businesses and individuals for dealing with sanctioned ransomware groups.   

Jamie Collier, a senior threat advisor for Mandiant and Google Cloud, noted that in the past, economic sanctions have typically been used against nation-state hacking groups. However, the damage caused by ransomware within the U.S. and other partners, as well as the often ambiguous ties that some groups have to governments like Russia, have made them a priority for policymakers in recent years.

"We're now seeing these methods increasingly used with ransomware actors, reflecting the growing priority of cyber crime on national security agendas," said Collier.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.