The U.S. and British governments on Thursday announced sanctions on seven people affiliated with the Russia-based TrickBot cybercrime gang, noting the group’s extensive history of criminal activity and some members’ affiliation with Russian intelligence services.
A statement issued by the U.S. Treasury Department referred to the group as a “notorious cyber gang,” and said the sanctions mean that all property and interests in property held by the named individuals in the U.S. or controlled by Americans must be blocked and reported to Treasury’s Office of Foreign Assets Control. Thursday’s action marks the first time the British government issued sanctions over ransomware, the British government said in a statement.
The sanctions are just the latest in a series of aggressive actions taken by the U.S. government against ransomware operators and their infrastructure. On Jan. 26, the Department of Justice announced it had seized servers and the website connected to the Hive ransomware group. That announcement came a week after Anatoly Legkodymov, a Russian national living in China, was arrested in Miami in connection with running Bitzlato, a cryptocurrency exchange the government called “a haven for criminal proceeds and funds.”
Both countries’ statements highlight the connections to Russian intelligence services. “The Trickbot Group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services,” Treasury said in its statement. “This included targeting the U.S. government and U.S. companies.” The British government said that “key group members highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking.”
“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Treasury Under Secretary Brian E. Nelson said in a statement. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”
U.S. Secretary of State Anthony Blinken said in a statement that the joint action “demonstrates our continued commitment to collaborating with partners and allies to address Russia-based cybercrime, and to countering ransomware attacks and their perpetrators. As Russia’s illegal war against Ukraine continues, cooperation with our allies and partners is more critical than ever to protect our national security.”
Named in Thursday’s action were: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev and Valery Sedletski.
The names of some of the men sanctioned Thursday were posted online in the days after the Russian invasion of Ukraine through a Twitter account called “trickleaks,” which posted a message March 4, 2022: “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk).”
Mikhailov, for instance, was known by the name “baget,” and a file with his image and detailed personal information was included in the leak. Vakhromeyev, known as “mushroom,” also appeared in the leaks.