February 12, 2023

UK and US jointly sanction 7 members of Russian cybergang responsible for global ransomware attacks

On February 9, 2023, the US and the UK imposed joint cyber sanctions upon 7 Russian nationals who are members of Trickbot, a Russia-based cybergang. This is reportedly the first sanctions of its kind for the UK and the result of a collaborative effort between US and UK authorities aimed at disrupting Russian crybercrime and ransomware. The US Department of Treasury reports that, as leaders in the global fight against cybercrime, the US and UK are committed to using every tool at their disposal to defend against cyber threats. According to the UK, these sanctions are the first wave of a new coordinated action against ransomware actors, after the National Crime Agency identified 149 individuals and business in the UK that were recently affected by ransomware strains known as Conti and Ryuk.

Security researchers first identified Trickbot in 2016 as a trojan virus that, along with the Dyre trojan strain, was designed by a group of cybercriminals to steal financial data. Trickbot has evolved over the years into a high modular malware suite that enables the group to engage in variety of cyber activities, including ransomware attacks. The Trickbot Group has assumed responsibility for a wave of ransomware attacks against US hospitals at the height of the COVID-19 pandemic in 2020, which resulted in the disruption of computer networks and telephones and the diversion of ambulances at three Minnesota medical facilities. OFAC reports that the current members of Trickbot are associated with Russian Intelligence Services, and the group has been freely perpetrating malicious cyber activities against the US, the UK, and its allies and partners.

The US Treasury’s Office of Foreign Assets Control designated 7 of Trickbot’s members pursuant to Executive Order 13694, as amended by EO 13757, for engaging in or supporting significant malicious cyber-enabled activities or activities described in subsection (a)(ii) of section 1 of EO 13694, as amended. As a result of these designations, all property and interests in property of these designees within the United States or within the possession or control of a U.S. person are blocked, and U.S. persons are generally prohibited from engaging in transactions involving the designated persons. In addition, entities owned 50 percent or more by one or more blocked persons are also blocked.

In the UK, ransomware is a tier 1 national security threat and, while cyberattacks against businesses and public sector organizations are on the rise, the recent victims in the UK were schools, local authorities, and private firms. The UK reports that other recent ransomware targets include the Irish Health Service Executive, the Costa Rican government and American healthcare providers. In response to these attacks, UK imposed asset freezes and travel bans upon the same 7 Russian nationals that were designated by the United States. The restrictive measures were imposed pursuant to Cyber (Sanction) (EU Exit) Regulation 2020, which prohibits UK individuals and entities from making funds available to sanctioned persons – this includes the payment of ransomware and payments in crypto assets. The UK’s Office of Financial Sanctions Implementation also published new public guidance on the implications of these new sanctions and their effect on ransomware cases.

Department of Treasury Press Release | UK Government Press Release