The Trickbot-Conti Ransomware Gang Has Been Sanctioned
Feb 13, 2023
The U.S. and U.K. announced sanctions against one Ukrainian national and six Russian nationals on Feb. 9, 2023, for their alleged involvement in TrickBot malware and Conti ransomware attacks. The action marks a continuing strategy to disrupt those involved in cybercrime and ransomware through prosecutions and sanctions. With the announcement, U.S. and U.K. authorities released the real names, birthdates, email addresses and handles used on underground forums of those who were sanctioned. The countries also say those named are “associated” with Russian intelligence services, a link that has long been suspected. The TrickBot gang is regarded as one of the most financially profitable cybercrime groups.
Intel 471 has tracked the handles of those now under sanction. What’s notable is the direct link between cybercriminal operations stretching back more than decade to ones that have caused recent harm. As others have observed, it’s a relatively small pool of criminals engaging in persistent malicious activity but who are unfortunately out of reach of law enforcement willing to take action.
TrickBot: Gateway to Ransomware
Before ransomware’s reach began expanding in 2015, cybercriminals stole money from online bank accounts. To do that, they used banking malware that went by names including Dyre, GameOver Zeus and Zeus. TrickBot, which appeared in 2016, traces its lineage to Dyre. It became one of most pervasive types of banking malware for several years, infecting millions of computers. Victims were infected after clicking malicious links or attachments in spam emails. Like other types of banking malware, TrickBot could steal login credentials and then funnel those credentials to cybercriminals who would transfer money from the accounts.
Banking malware, however, fell out of favor not long after TrickBot appeared. Ransomware, which involves extorting victims after encrypting their files, became the preferred money-making tool. With that transition, TrickBot became an integral distribution mechanism due to its large footprint. TrickBot provided a pipeline of foothold infections that could be used to install ransomware strains such as Ryuk and Conti. Over time, however, researchers became better at tracking TrickBot, and anti-malware products improved detecting and removing it from computers. TrickBot was also targeted by Microsoft and U.S. Cyber Command in October 2020. Although that action did not completely eradicate the botnet, it made it harder for TrickBot’s operators. Eventually, another type of malware and botnet, Emotet - which we covered in depth here - surpassed it.
TrickBot Group: Underground Insight
Intel 471’s intelligence analysts have observed the personas sanctioned by authorities throughout the cyber underground for some time. Additional details include:
Vitaly Nikolayevich Kovalev, 34, of Russia
Handles: “Bentley,” “Ben,” “Benny” and “Alex Konor”
The U.S. and U.K. say he was a “senior figure within the TrickBot Group.” In addition to sanctioning him, U.S. prosecutors unsealed an indictment from 2012 that implicates him in the theft of US $950,000 from online bank accounts between 2009 and 2010. He’s also accused of coordinating with other people (known as “money mules”) to wire the money overseas.
Intel 471 has observed Bentley’s deep involvement in financial crime and eventually ransomware. Bentley was one of the principal members of GameOver Zeus, which was a type of banking malware and a botnet used to distribute the CryptoLocker ransomware. GameOver Zeus was disrupted by law enforcement in 2014. At that same time, prosecutors announced an indictment against GameOver Zeus’s administrator, Evgeniy Mikhailovich Bogachev, known on cybercrime forums as “slavik” and “lucky12345.” Conversations on an underground forum called Mazafaka point to slavik and Bentley having a working relationship and perhaps sharing the same handle (“Ferrari”) on the forum. Bogachev remains at large and on the FBI’s Cyber Most Wanted List.
Bentley became involved in TrickBot, and then eventually – in a merging of cybercrime activity – the Conti ransomware gang. Conti conducted devastating ransomware attacks against Ireland’s Health Service Executive, the country of Costa Rica and dozens of other entities before disbanding. In early 2022, some 60,000 chat messages and files belonging to Conti were leaked (Intel 471's analyses are here and here), which revealed more of Bentley’s involvement. Bentley appeared to be a manager and technical lead on the malware development side, running a quality assurance team. The threat actor also oversaw people who compromised networks and were involved in developing malware.
One of Bentley’s responsibilities was ensuring that the ransomware or malware involved in TrickBot operations would evade antivirus (AV) or security software using “crypters.” Crypters change the characteristics of malware so it doesn’t get caught by these tools. Bentley managed Conti’s internal sandboxes and malware test environments as well as purchased licenses for corporate and home AV solutions. Those were used in Conti’s internal test environments to test ransomware before it was deployed to ensure it didn’t trigger an alert or action from AV or security solutions. Bentley also bought code-signing certificates from underground vendors so the TrickBot malware and Conti ransomware were signed with valid digital certificates.
Ivan Vasilyevich Vakhromeyev, 34, of Russia
Handles: “Mushroom” and “Mush”
Mushroom, who’s activity traces back to the earliest versions of ZeuS and then later GameOver Zeus, was once a principal customer of Bogachev. Mushroom was a principal developer and development manager of the BazarBackdoor, which was a backdoor distributed by TrickBot.
Maksim Sergeevich Mikhailov, 46, of Ukraine
Handles: “Baget,” “maxMS76” and “vnc”
Baget was the principal developer and project manager for Conti and TrickBot. Baget appears to have supervised ransomware development, including the Diavol ransomware, which the FBI linked to the TrickBot gang. Baget also has links to the BazarLoader malware. Baget’s real name was revealed in the Conti gang’s chat leak.
Valery Veniaminovich Sedletski, 48, of Russia
Handles: “Strix” and “valerius”
Strix appears to have been heavily involved in devops and infrastructure administration. Strix managed several other administrators and operated portions of the infrastructure. He also handled infrastructure-related operational expenses.
Outlook
The imposition of sanctions against individuals accused of cybercrime has occurred before. The U.S. imposed sanctions in December 2019 against the Evil Corp group. This is the first time, however, that sanctions have been jointly levied by two countries against a cybercriminal group at the same time. One of the aims of national anti-ransomware action plans has been closer international cooperation. This shows that in practice.
It’s illegal to send money to a sanctioned entity, and the U.S. government has sanctioned North Korean, Russian and Iranian cyber groups before. Evil Corp (believed to be Russia-based) was also involved in ransomware distribution, which posed complications for the group after it was sanctioned. In a June 2022 report, Mandiant wrote that Evil Corp changed its operations to evade sanctions and started using LockBit, a ransomware-as-a-service (RaaS) provider. Members and affiliates of ransomware gangs are known to join others when their operations are compromised, as we believe has occurred with individuals joining Black Basta, Quantum and Royal. If sanctioned individuals are part of those groups, victims may not pay for fear of violating sanctions. However, the U.K. and U.S. have released guidance clarifying their views on how sanctions would be enforced related to ransomware given the complexities of the crime. The reporting of a ransomware attack and ransom payment to the authorities would be considered a mitigating factor in whether a violation of sanctions incurs a penalty.
U.S. prosecutors indicted Kovalev in 2012, but kept the indictment under seal for 11 years. One tactic to disrupt cybercrime and ransomware operations when the perpetrators are in jurisdictions that will not extradite is making it more difficult for those people to continue their activities. No charges or indictments were announced for the other individuals sanctioned. Nonetheless, travel would likely be legally risky now. Naming and shaming will have long-term effects.
