On September 7, 2023, NCA released a statement regarding the new complex pack of sanctions against Russian Conti cybercrime group members. Accused of participating in extortions worth $800 million, gang members have now lost any property and equity under the US and UK jurisdiction.
US and UK Authorities Uncover 11 More Russian Hackers Related to Conti And TrickBot
Notice regarding joint operations between American and British authorities appeared on several sites simultaneously. As in the previous case of sanctions towards russian hackers, US Treasury and UK National Crime Agency released statements regarding it. They successfully managed to uncover the personalities of 11 individuals that are related to the Trickbot/Conti cybercriminal gang.
Authorities have found and proven the relation of the accused individuals to attacks on UK and US government and educational organisations, hospitals and companies. This in total led to a net loss of £27 million in the UK only, and over $800 million around the world. Despite the formal Conti group dissolution in June 2022, members remained active under the rule of other cybercriminal groups.
Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.NCA Director General of Operations Rob Jones
Authorities Published Hackers’ Personal Data
What may be the best revenge to someone fond of compromising identities than compromising their own identity? Authorities involved in the investigation and judgement probably think the same, as they have published detailed information about each of 11 sanctioned hackers.
| Name | Online Nicknames | Position |
|---|---|---|
| Dmitry Putilin | Grad, Staff | Participated in Trickbot infrastructure purchases |
| Artem Kurov | Naned | One of the Trickbot developers |
| Maksim Galochkin | Bentley, Max17, Volhvb | Lead of the testers team, also responsible for actual development and supervision |
| Mikhail Tsarev | Frances, Mango, Khano | Mid-tier manager, responsible for money flows; also touched HR functions |
| Alexander Mozhaev | Green, Rocco | Part of the group administration |
| Maksim Rudenskiy | Buza, Binman, Silver | Lead of Trickbot’s developers team |
| Andrey Zhuykov | Adam, Defender, Dif | One of the major administrators in the cybercrime gang |
| Sergey Loguntsov | Begemot_Sun, Begemot, Zulas | Member of the development team |
| Mikhail Chernov | m2686, Bullet | Part of the group’s internal utilities |
| Vadym Valiakhmetov | Weldon, Mentos, Vasm | Part of the development team, responsible for backdoors and loaders |
| Maksim Khaliullin | Kagas | Chief HR manager of the group. Responsible for purchasing VPSs for TrickBot infrastructure. |
What is the Conti/TrickBot group?
As cybercrime gangs are commonly named by their “mainstream” malware, the Conti gang was mostly known for their eponymous ransomware. But obviously, that was not the only payload they were using in their attacks. Throughout its lifetime, Conti was working with, or even directly using several stealer families. Among them is an infamous QakBot, whose botnet was hacked and dismantled at the edge of summer 2023, and TrickBot. They were mostly known as stand-alone names, besides being actively used in collaboration with different ransomware gangs, including Conti.
QakBot is an old-timer of the malware scene. Emerged in 2007 as Pinkslipbot, it quickly became successful as infostealer malware. With time, it was updated with new capabilities, particularly ones that make it possible to use it as an initial access tool/malware delivery utility. This predetermined the fate of this malware – it is now more known as a loader, than a stealer or spyware. Although it may be appropriate to speak of QBot in the past tense, as its fate after the recent botnet shutdown is unclear.
Trickbot’s story is not much different. The only thing in difference is its appearance date – it was first noticed in 2016. Rest of the story repeats – once an infostealer, then a modular malware that can serve as initial access tool and loader. Some cybercriminals who stand after Trickbot were already sanctioned – actually, they are the first sanctioned hackers ever.
Are sanctions seriously threatening hackers?
Actually, not much. Sanctions are not a detainment, thus the only thing they lose is property in the US and the UK. Though, I highly doubt that any of those 11 guys had any valuable property kept in the countries they were involved in attacks on. All this action is mostly a message to other hackers – “you are not as anonymous as you think you are, and not impunable.”. The very next step there may be their arrest – upon the fact of their arrival to the US/UK, or countries that assist them in questions of cybercrime investigation. But once again – I doubt they’re reckless enough to show up in the country where each police station has their mugshot pinned to the wanted deck.
