Seven Russian cyber criminals who are linked to the group behind some of the most damaging ransomware attacks on the UK in recent years have been exposed and sanctioned by the UK and the US.
The sanctions, which are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), form part of a concerted campaign by the UK and the US to tackle international cyber crime.
They follow a lengthy investigation by the National Crime agency into the crime group behind Trickbot malware, as well as the Conti and RYUK ransomware strains, among others.
The NCA assesses that the group was responsible for extorting at least £27 million from 149 UK victims, including hospitals, schools, businesses and local authorities, although their true impact is likely to be much higher.
National Crime Agency Director General Graeme Biggar said:
“This is a hugely significant moment for the UK and our collaborative efforts with OFAC to disrupt international cyber criminals.
“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.
“This is an excellent example of the dedication and expertise of the NCA team who have worked closely with partners on this complex investigation. We will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.”
Ransomware is a tier one national security threat, with attacks continuing to increase in scale and complexity. The criminals behind these attacks specifically target the systems of organisations they judge will pay them the most money and time their attacks to cause maximum damage, including targeting hospitals in the middle of the pandemic.
Although the Conti group disbanded last year, reporting suggests it’s members, including those sanctioned today, continue to be involved in some of the most notorious new ransomware strains that dominate and threaten UK security.
The seven cyber criminals are now subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system.
Foreign Secretary James Cleverly said:
“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.”
“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.”
An indictment was unsealed today in the US District Court for the District of New Jersey charging one of the individuals, Vitaliy Kovalev, with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various US-based financial institutions that occurred in 2009 and 2010.
This alleged offending predates that of the Conti group.
According to research from Chainalysis, the group extorted $180 million from global ransomware victims in 2021 alone.
Recent victims in the UK include the Scottish Environment Protection Agency, food distribution firm Reed Boardall, Redcar and Cleveland Council, and forensic laboratory Eurofins.
Internationally the Irish Health Service Executive, Costa Rican Government and American healthcare providers were targeted.
Security Minister Tom Tugendhat said:
“We’re targeting cyber criminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, hurt many and disrupted lives, at great expense to the taxpayer.
“Cyber-crime knows no boundaries and threatens our national security. These sanctions identify and expose those responsible.”
The Russian State provides a permissive environment for ransomware actors to operate by neglecting their responsibility to investigate and disrupt such groups and, in some instances, by actively supporting these groups in their criminal endeavours.
The NCSC assessed that key members of the Conti group highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking.
The group was one of the first cybercrime groups to back Russia’s war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion.
National Cyber Security Centre (NCSC) CEO Lindy Cameron said:
“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be.
“The NCSC is working with partners to bear down on ransomware attacks and those responsible, helping to prevent incidents and improve our collective resilience.
“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”
If you are the victim of a ransomware attack, you should use HMG’s Cyber Incident Signposting Site as soon as possible for direction on which agencies to report your incident to.
Today, OFSI are also publishing new public guidance [https://www.gov.uk/government/publications/financial-sanctions-faqs], which sets out the implications of these new sanctions in ransomware cases.
Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions. Organisations should have or should put in place robust cyber security and incident management systems in place to prevent and manage serious cyber incidents.
Those designated today are:
- Vitaliy KOVALEV (historical use of AKA Ben and AKA Bentley)
- Valery SEDLETSKI (AKA Strix)
- Valentin KARYAGIN (AKA Globus)
- Maksim MIKHAILOV (AKA Baget)
- Dmitry PLESHEVSKIY (AKA Iseldor)
- Mikhail ISKRITSKIY (AKA Tropa)
- Ivan VAKHROMEYEV (AKA Mushroom)
9 February 2023