US and UK Sanction Members of Russian TrickBot GangUS Prosecutors Unseal Indictment Against Senior TrickBot Figure
Russian operators of the TrickBot banking Trojan that later evolved into a ransomware dropper felt trans-Atlantic pressure Thursday through sanctions imposed by the United States and the United Kingdom and an indictment against a senior figure unsealed by U.S. federal prosecutors in New Jersey.
Prosecutors also unsealed an indictment against one of the sanctioned individuals, Vitaly Kovalev, charging him with nine counts of bank fraud or conspiracy to commit bank fraud. The charges stem from a series of fraudulent transactions made in U.S. banks in 2009 and 2010 to transfer nearly $1 million in stolen funds, the bulk of which ended up abroad. Kovalev is a "senior figure" in TrickBot, the U.S. Treasury says, although the alleged fraud occurred before his involvement in TrickBot.
The U.S. Treasury says members of the TrickBot group are associated with Russian intelligence services - and that its activities "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services." In a statement, U.S. Secretary of State Anthony Blinken accused the Kremlin of harboring groups such as Trickbot, calling Russia "a safe haven for cybercriminals."
In addition to Kovalev who also goes by "Bentley" online, the sanctioned individuals are Mikhail Isktritskiy, aka Tropa; Valentin Karyagin, aka Globus; Maksim Michailov, aka Baget; Dmitry Pleshevskiy, aka Iseldor; Valery Sedletski, aka Strix; and Ivan Vakhromeyev, aka Mushroom.
The sanctions freeze any assets the seven men may have had in U.S. or U.K. financial institutions and also puts the global financial system on notice to avoid transactions that can be tied to them. Any foreign financial institution that facilitates a significant transaction or provides significant financial services for any of the seven men could itself be subject to sanctions.
"By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account," said U.K. Secretary of State for Foreign, Commonwealth and Development Affairs James Cleverly.
The combination of sanctions from U.S. and. U.K. regulators will make it difficult for the seven men to convert stolen money into Western hard currencies, said Dave Stetson, a former attorney-adviser in the Office of the Chief Counsel at the Treasury Department's Office of Foreign Assets Control. European banks will also likely refuse to process transactions tied to the Russian men, he said.*
Trans-Atlantic coordination on sanctions against Russian entities notably strengthened following Moscow's February 2022 invasion of Ukraine. Last October, the U.S. and U.K. pledged deeper partnership, an association that paid dividends with today's announcement, Stetson said.
The sanctions also complicate the calculus for victims considering paying ransomware hackers' extortion demands. The U.S. Treasury reserves the right to enforce sanctions violations on the basis of strict liability, meaning it does not need to prove intent to enter into prohibited transactions. Federal guidance urges companies to coordinate with authorities when responding to a ransomware demand - meaning that "OFAC may be able to give some form of comfort that, based on the information available to the U.S. government, a sanctions target is not involved in any transaction," Stetson said.
In exceptional cases, OFAC "may be able to give a certain degree of comfort about nonexercise of its enforcement authority" when there is a connection, he added.
TrickBot Evolves From Banking Trojan to Hospital Killer
U.S. officials say TrickBot chose hospitals and healthcare centers as targets for ransomware attacks during the height of the novel coronavirus pandemic. Among its victims were three Minnesota medical facilities forced to turn away emergency patients.
Security researchers first identified TrickBot in 2016 and monitored its evolution from a variant of an earlier banking Trojan dubbed Dyre or Dyreza into a vector for Conti and Ryuk ransomware. The Washington Post reported in 2020 that U.S. Cyber Command had mounted an operation to disrupt the TrickBot botnet ahead of the American presidential election to head off potential ransomware attacks on state or local voter registration offices. Cybersecurity experts expected the operation to have only a temporary effect (see: Microsoft, Others Dismantle TrickBot Botnet).
Two alleged TrickBot members already face prosecution in U.S. courts. South Korea in late 2021 extradited Russian national Vladimir Dunaev, accusing him of developing the TrickBot malware by overseeing creation of browser injection, machine identification and data harvesting functions. He is being prosecuted alongside Alla Witte, a Latvian national also arrested in 2021 and accused by prosecutors of working as a TrickBot developer on the control and deployment of ransomware, obtaining extortion payments and developing software tools to store stolen credentials. Witte's prosecution is ongoing in the U.S. District Court for the Northern District of Ohio.
As with many types of malware, TrickBot's operators refined their code to add additional capabilities and meet changing criminal demands. Updates included making it serve as a dropper - a tool for downloading additional software onto an endpoint it had infected. It also gained web injection capabilities, allowing it to spoof legitimate banks and cryptocurrency exchanges.
In 2021, TrickBot appeared to begin an initial access relationship with the Conti ransomware group, giving it exclusive use of all TrickBot-infected endpoints so they could be infected with Conti's crypto-locking malware, threat intelligence firm Advanced Intelligence reported. "By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers joining the ransomware cosa nostra," it said. Conti's operators later spun off multiple groups - some of which continue to use TrickBot-derived code - before retiring the Conti brand name in May 2022.
Researchers from Intel 471 in early 2022 concluded with "high confidence" that TrickBot operators had shifted from working on their software to joining forces with operators of the Emotet malware. The two groups had already previously collaborated, when TrickBot malware was used to bring back Emotet after a damaging takedown in 2021.
TrickBot gang members likely concluded that the high rate of antivirus detection of their malware made it time to cut their losses, an Intel 471 spokesperson said in an email.**
With reporting by ISMG's Mathew Schwartz.
Updated Feb. 9, 2023, 16:26 UTC: Additional information added throughout.
*Additional update Feb. 9, 2023 19:48 UTC: Adds commentary from Dave Stetson.
**Additional update Feb. 9, 2023 21:43 UTC: Adds comment from Intel 471.