The indictments of multiple members of the TrickBot/Conti Ransomware groups have recently been unsealed and 11 members of these cybercriminal operations have been sanctioned by the United States and the United Kingdom.
A federal grand Jury in the Southern District of California indicted and charged Russian national, Maksim Galochkin, his role in a cyberattack on Scripps Health in May 2021. Galochkin and his co-conspirators are alleged to have conducted more than 900 attacks worldwide using Conti ransomware, including the attack on Scripps Health. A federal grand jury in the Northern District of Ohio indicted Galochkin and co-conspirators Maksim Rudenskiy, Mikhail Mikhailovich Tsarev, Andrey Yuryevich Zhuykov, Dmitry Putilin, Sergey Loguntsov, Max Mikhaylov, Valentin Karyagin, and Maksim Khaliullin, over the use of TrickBot malware to steal funds and confidential information from businesses and financial institutions in the United States since 2015. A federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin and co-conspirators Rudenskiy, Tsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments in the United States from 2020 until June 2022 when the Conti operation was disbanded.
Galochkin was also one of 11 individuals recently sanctioned by the U.S. Department of Justice, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the United Kingdom for being part of the Russian TrickBot cybercrime group. TrickBot was first identified in 2016 and started life as a banking Trojan. The malware was developed from the Dyre Trojan and was used to attack and steal money from non-Russian businesses. The modular malware evolved over the years and new capabilities were added which allowed the TrickBot gang to conduct a range of malicious activities, including ransomware attacks. The group is believed to have extorted more than $180 million from victims around the world and conducted many attacks on hospitals and other healthcare providers in the United States. While the TrickBot gang is a cybercriminal group, members of the group are associated with the Russian intelligence services and have conducted attacks on the U.S. government and other U.S. targets in line with the objectives of the Russian intelligence services.
The 11 sanctioned individuals materially assisted with TrickBot operations and include administrators, managers, developers, and coders. Galochkin (aka Bentley, Crypt, Volhvb) is alleged to have led a group of testers and had responsibilities for the development, supervision, and implementation of tests. The other 10 sanctioned individuals are senior administrator Andrey Zhuykov (aka Dif, Defender); lead coder Maksim Rudenskiy; human resources and finance manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (aka grad, staff); HR manager Maksim Khaliullin (aka Kagas); TrickBot developer Sergey Loguntsov; internal utilities group member Mikhail Chernov (aka Bullet); admin team member Alexander Mozhaev (aka Green and Rocco); and coders Vadym Valiakhmetov (aka Weldon, Mentos, Vasm) and Artem Kurov (aka Naned).
18 members of the TrickBot operation have now been sanctioned with the latest 11 adding to the 7 members sanctioned by the United States and United Kingdom in February this year. The addition of these individuals to OFAC’s sanctions list means all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. All dealings with these individuals by U.S. persons are prohibited, including paying ransoms. Individuals who engage in transactions with sanctioned individuals may themselves be exposed to OFAC designation and any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the sanctioned individuals could be subject to U.S. correspondent or payable-through account sanctions.
All of the indicted and sanctioned individuals remain at large. That is likely to remain the case as they are believed to reside in Russia where there is no extradition treaty with the United States.
The post Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned appeared first on HIPAA Journal.