The
US
and
the
UK
have
issued
joint
sanctions
against
alleged
members
of
the
TrickBot
cybercrime
gang
for
their
role
in
cyberattacks
against
critical
infrastructure.
Trickbot,
as
a
malware,
began
life
as
a
lowly
banking
Trojan
before
its
authors
started
adding
modules
for
other
forms
of
malicious
activity.
It
thus
evolved
into
a
multifaceted
cyber-Swiss
Army
knife,
often
used
as
a
first-
or
second-stage
implant
that,
once
ensconced
on
a
victim
machine,
fetches
ransomware
or
other
payloads.
The
group
ultimately
grew
into
to
acting
as
a
ransomware
affiliate
for
Conti
and
other
groups.
“During
the
height
of
the
COVID-19
pandemic
in
2020,
Trickbot
targeted
hospitals
and
healthcare
centers,
launching
a
wave
of
ransomware
attacks
against
hospitals
across
the
United
States,”
according
to
an
announcement
from
the
US
Treasury
Department.
“In
one
of
these
attacks,
the
Trickbot
Group
deployed
ransomware
against
three
Minnesota
medical
facilities,
disrupting
their
computer
networks
and
telephones,
and
causing
a
diversion
of
ambulances.
Members
of
the
Trickbot
group
publicly
gloated
over
the
ease
of
targeting
the
medical
facilities
and
the
speed
with
which
the
ransoms
were
paid
to
the
group.”
The
announcement,
intriguingly,
ties
the
seven
sanctioned
people
to
Russian
Intelligence
Services,
since
the
2020
attacks
“aligned
them
to
Russian
state
objectives
and
targeting
previously
conducted
by
Russian
Intelligence
Services.
This
included
targeting
the
US
government
and
US
companies.”
Trickbot
has
previously
been
widely
considered
to
be
a
financially
motivated
cybercrime
gang,
Russian-speaking
but
not
Russia-sponsored.
The
sanctioned
individuals
are:
-
Vitaly
Kovalev,
aka
Bentley
or
Ben -
Maksim
Mikhailov,
aka
Baget -
Valentin
Karyagin,
aka
Globus -
Mikhail
Iskritskiy,
aka
Tropa -
Dmitry
Pleshevskiy,
aka
Iseldor -
Ivan
Vakhromeyev,
aka
Mushroom -
Valery
Sedletski,
aka
Strix
The
sanctions
mean
that
the
government
can
seize
any
assets
that
they
may
have
in
the
US
or
UK,
and
it
prevents
US-
and
UK-based
organizations
and
individuals
from
doing
business
with
them.
All
seven
perps
remain
at
large,
presumably
under
the
comforting
protection
of
the
Russian
state,
which
continues
to
look
the
other
way
when
it
comes
to
cybercriminals
residing
within
its
borders.
“These
sanctions
are
a
welcome
sight
although
they
may
be
academic,”
Timothy
Morris,
chief
security
adviser
at
Tanium,
tells
Dark
Reading.
“What
it
would,
or
should
do,
is
make
it
harder
for
the
seven
involved
to
launder
their
ill-gotten
gains.
Also,
they
will
probably
be
careful
with
any
vacation
plans
for
fear
of
capture
or
extradition.
It
is
good
to
see
sanctions
and
takedowns
that
have
cross-jurisdiction
cooperation.”
As
for
the
gang
itself,
a
law-enforcement
takedown
in
2020
saw
its
activity
slowly
“wither,”
according
to
a
report
last
year
from
Intel
471,
with
the
malware’s
operators
instead
turning
to
the
Emotet
botnet
to
continue
its
incursions
into
businesses.
“We’ve
not
seen
any
Trickbot
activity
since
the
Feb.
2022
blog
post,”
Michael
DeBolt,
chief
intelligence
officer
at
Intel
471,
said
in
an
emailed
statement.
“It
is
highly
likely
that
Trickbot
won’t
be
seen
again.
One
possible
scenario
is
that
the
source
code
may
be
sold
or
leaked,
and
other
threat
actors
could
re-use
it
or
fork
the
source
into
a
new
project.”
About Author
