For years, Russia-based ransomware gangs have launched crippling attacks against businesses, hospitals, and public sector bodies, extorting hundreds of millions of dollars from victims and causing untold disruption. And they’ve done so with impunity—but no more. Today, as part of a push to shut down ransomware gangs, the UK and US governments have unmasked some of the criminals behind the attacks.
In a rare move, officials have sanctioned seven alleged members of notorious ransomware gangs and published their real-world names, dates of birth, email addresses, and photos. All seven of the named cybercriminals are said to belong to the Conti and Trickbot ransomware groups, which are linked and often jointly referred to as Wizard Spider. Moreover, the UK and US are now explicitly calling out links between Conti and Trickbot and Russia’s intelligence services.
“By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” UK foreign secretary James Cleverly said in a statement on Thursday. “These cynical cyberattacks cause real damage to people’s lives and livelihoods.”
The seven gang members named by the two governments are: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. All the members have online handles, such as Baget and Tropa, that they used to communicate with each other without using their real-world identities.
On Thursday, the UK’s National Cyber Security Center (NCSC) said it is “highly likely” that members of the Conti group have links to “the Russian Intelligence Services” and that those agencies have “likely” directed some of the gang’s actions. NCSC is part of the UK intelligence agency GCHQ, and this is the first time the UK has sanctioned ransomware criminals.
Similarly, the US Department of the Treasury has concluded that Trickbot Group members are “associated with Russian Intelligence Services.” It added that the group’s actions in 2020 were aligned with Russia’s international interests and “targeting previously conducted by Russian Intelligence Services.”
According to the US Treasury, these members were involved in malware and ransomware development, money laundering, fraud, injection of malicious code into websites to steal login details, and managerial roles. As part of the sanctions, the UK froze assets belonging to the ransomware actors and imposed travel bans on them. The US District Court for the District of New Jersey also unsealed an indictment charging Vitaliy Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud against US financial institutions in 2009 and 2010.
Governments have struggled to get a handle on the growing ransomware threat, in large part because many of the criminal groups operate in Russia. The Kremlin has provided a safe haven for these bad actors—as long as they don’t target Russian companies. Last year, following a string of particularly aggressive and disruptive attacks on US and UK targets, Russian law enforcement did arrest more than a dozen alleged members of the notorious ransomware gang REvil. But Russia has continued to be the origin point for an array of cybercriminal activity, including ransomware attacks.