UK and US sanction 11 members of Russia-based TrickBot cybercrime gang

September 08, 2023THNCybercrime/malware

The British and American governments on Thursday sanctioned 11 individuals suspected of being part of the notorious Russian-based cybercrime gang TrickBot.

“Russia has long been a haven for cybercriminals, including the TrickBot group,” according to the US Treasury Department. saidadding that he has “ties to Russian intelligence and has targeted the U.S. government and U.S. businesses, including hospitals.”

The targets of the sanctions are administrators, managers, developers and coders who would have provided material assistance in its operations. Their names and roles are as follows –

• Andrey Zhuykov (aka Adam, Defender and Dif), lead administrator
• Maksim Sergeevich Galochkin (aka Bentley, Crypt, Manuel, Max17 and Volhvb), software development and testing
• Maksim Rudenskiy (aka Binman, Buza and Silver), team leader for coders
• Mikhail Tsarev (aka Alexander Grachev, Frances, Ivanov Mixail, Mango, Misha Krutysha, Nikita Andreevich Tsarev and Super Misha), human resources and finance
• Dmitry Putilin (aka Grad and Staff), purchase of TrickBot infrastructure
• Maksim Khaliullin (aka Kagas), HR manager
• Sergey Loguntsov (aka Begemot, Begemot_Sun and Zulas), developer
• Vadym Valiakhmetov (aka Mentos, Vasm and Weldon), developer
• Artem Kurov (aka Naned), developer
• Mikhail Chernov (aka Bullet and m2686), member of the internal utilities group
• Alexander Mozhaev (aka Green and Rocco), team member responsible for general administrative tasks

Evidence collected by threat intelligence firm Nisos late last month revealed that Galochkin “changed his name from Maksim Sergeevich Sipkin and has significant financial debt as of 2022.”

“These individuals, all Russian nationals, operated beyond the reach of traditional law enforcement and hid behind pseudonyms and nicknames online,” the British government said. said. “Removing their anonymity undermines the integrity of these individuals and their criminal activities which threaten the security of the United Kingdom.”

This is the second time in seven months that the two governments have imposed similar sanctions on several Russian nationals for their affiliation with the cybercrime syndicates TrickBot, Ryuk and Conti.

This also coincides with the unsealing of indictments against nine accused in connection with the TrickBot malware and Conti ransomware programs, including seven of the newly sanctioned individuals.

Dmitriy Pleshevskiy, one of those sanctioned in February 2023, has since denied any involvement in the TrickBot gang, claiming to have used the pseudonym “Iseldor” online to perform unspecified freelance programming tasks.

“These tasks did not seem illegal to me, but perhaps this is where my involvement in these attacks comes in,” Pleshevskiy said. quoted ” as told to WIRED, which unmasked Galochkin as one of the key members of TrickBot after a months-long investigation.

To date, two other TrickBot developers have been arrested and charged in the United States. Alla Witte, a Latvian national, pleaded guilty to conspiracy to commit computer fraud and was sentenced to 32 months in June 2023. A Russian named Vladimir Dunaev is currently in detention and awaiting trial.

An evolution of the Dyre banking Trojan, TrickBot began in a similar fashion in 2016 before evolving into a flexible, modular malware suite that allows malicious actors to deploy higher-level payloads such as ransomware.

The cybercrime group, which managed to survive a takedown effort in 2020, was absorbed by the Conti ransomware cartel in early 2022 and, as evidenced by the roles mentioned above, operated as a legitimate business with a structure of professional management.

Conti was officially disbanded in May 2022 following a wave of leaks two months earlier that offered unprecedented insight into the group’s activities, which, in turn, were triggered by the group’s support for Russia in the latter’s war against Ukraine.

Anonymous dumps, nicknamed ContiLeaks And Tipspopped up within a few days of each other in early March 2022, leading to the release of tons of data on their internal chats and online infrastructure. A previous account named TrickBotLeaks which was created in X (formerly Twitter) was quickly suspended.

“In total, there are approximately 250,000 messages containing over 2,500 IP addresses, approximately 500 potential crypto wallet addresses, and thousands of domains and email addresses,” Cyjax note in July 2022, in reference to the TrickBot data cache.

According to the UK’s National Crime Agency (NCA), the group is estimated extorted at least $180 million from victims worldwide and at least £27 million from 149 victims in the UK

Despite continued efforts to disrupt Russian cybercriminal activities through sanctions and indictments, threat actors continue to thrive, although they operate under different names to evade the ban and exploit common tactics to infiltrate their targets.