On Sept. 7, 2023, the U.S. and U.K. announced sanctions against new individuals and indicted others for alleged involvement in the Trickbot botnet and Conti ransomware. This a blow against a flagrant, long-running and mostly Russian cybercriminal ecosystem, which Intel 471 has been closely following.
Eleven individuals were sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the U.K. Foreign, Commonwealth & Development Office. In its announcement, the U.S. Treasury Department alleges that “members of the Trickbot group are associated with Russian intelligence services” and that the group’s activity in 2020 aligned it with Russian state objectives. A total of 18 people have now been sanctioned related to Trickbot, including a first-ever round of joint U.S.-U.K. cybercrime sanctions levied in February 2023. In tandem with the new sanctions, the U.S. Department of Justice unsealed three federal indictments charging eight Russian men and one Ukrainian man with computer crimes related to Trickbot and Conti.
Since 2016, Trickbot has played a huge role in distributing some of the most prevalent and damaging ransomware strains: Conti, REvil, Ryuk, ProLock, Egregor and Black Basta. Attacks using those ransomware variants have disrupted at minimum hundreds of schools, hospitals and businesses and caused billions of dollars in damages. The Conti and REvil groups and their affiliates elevated the view of ransomware to a national security threat through the execution of attacks against Ireland’s Health Service Executive, Costa Rica and customers of software maker Kaseya.
The Ohio federal indictment is a deep dive into Trickbot starting from its evolution from the Dyre banking trojan, drawing on detailed payment records and chat logs. The California federal indictment covers a devastating Conti ransomware attack against Scripps Health, a nonprofit health system in San Diego. That indictment only names Maksim Galochkin, 41, of Russia as a defendant, who allegedly operated under the persona bentley. The attack against Scripps Health in May 2021 compromised 150,000 patient records, disrupted medical care and cost the health care provider at least US $112.7 million. The Tennessee federal indictment covers Conti attacks in that state, including a government victim that saw its sheriff’s department, emergency services and a police department’s systems encrypted. The victim paid a US $174,000 ransom in bitcoins. Galochkin is a defendant in all three indictments.
Galochkin was named in an investigation published by Wired Aug. 30, 2023, and was identified as the persona bentley. His identification is based on public leaks and research from threat intelligence firms. Data collected by Intel 471 does not conflict with the conclusion. Galochkin’s name first surfaced publicly in March 2022 as part of a large data release pertaining to the Trickbot group.
The data was released through two anonymous Twitter accounts, @TrickbotLeaks and @trickleaks. The accounts released a huge amount of data that according to threat intelligence firm Cyjax encompassed 250,000 messages, 2,500 IP addresses, 500 potential cryptocurrency wallet addresses and thousands of domains and email addresses.
What’s not mentioned in the three indictments is that Galochkin’s bentley persona also surfaces related to the Qakbot botnet, also known as QBot. QBot was significantly disrupted by law enforcement in August 2023. QBot emerged in 2007 when cybercriminals were focused on online banking theft. Until its disruption last month, QBot was never the largest botnet, but it was one of the most consistent in the malware distribution scene. It infected hundreds of thousands of computers and was used by a group of long-standing, top-tier and highly vetted cybercrime actors. QBot also distributed ransomware including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta. In the Conti ransomware data leaks, the threat actor tramp asks bentley for assistance in crypting QBot to stop detection by SentinelOne or Symantec Endpoint Protection security software. Crypting is the term for making malware undetectable to antimalware systems. Bentley takes on the crypting job, which the threat actor had already been doing for Conti. This shows the small circles of Russian cybercrime.
It’s unlikely but not impossible that those charged related to the Conti ransomware attacks will face a day in U.S. court. Russia’s constitution prohibits extradition of its citizens. But the actions show the intense pressure that international law enforcement is exerting on veteran players in the Russian cybercrime scene. This action contributes to the multilateral effort dedicated to imposing cost on ransomware actors. Hopefully, it will also serve as a deterrent and impact a long-running cybercriminal ecosystem.