The U.K. National Crime Agency released this composite photo of some of the individuals sanctioned by the U.K. and U.S. for their alleged involvement in the Trickbot botnet and Conti ransomware gang.
On Sept. 7, 2023, the U.S. and U.K. announced sanctions against new individuals and indicted others for alleged involvement in the Trickbot botnet and Conti ransomware. This a blow against a flagrant, long-running and mostly Russian cybercriminal ecosystem, which Intel 471 has been closely following.
Eleven individuals were sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the U.K. Foreign, Commonwealth & Development Office. In its announcement, the U.S. Treasury Department alleges that “members of the Trickbot group are associated with Russian intelligence services” and that the group’s activity in 2020 aligned it with Russian state objectives. A total of 18 people have now been sanctioned related to Trickbot, including a first-ever round of joint U.S.-U.K. cybercrime sanctions levied in February 2023. In tandem with the new sanctions, the U.S. Department of Justice unsealed three federal indictments charging eight Russian men and one Ukrainian man with computer crimes related to Trickbot and Conti.
Since 2016, Trickbot has played a huge role in distributing some of the most prevalent and damaging ransomware strains: Conti, REvil, Ryuk, ProLock, Egregor and Black Basta. Attacks using those ransomware variants have disrupted at minimum hundreds of schools, hospitals and businesses and caused billions of dollars in damages. The Conti and REvil groups and their affiliates elevated the view of ransomware to a national security threat through the execution of attacks against Ireland’s Health Service Executive, Costa Rica and customers of software maker Kaseya.
The name Maksim Galochkin of Russia surfaced in March 2022 related to the Trickbot botnet via anonymous Twitter account, the tweets of which were restated by other Twitter accounts such as the one above.
The data was released through two anonymous Twitter accounts, @TrickbotLeaks and @trickleaks. The accounts released a huge amount of data that according to threat intelligence firm Cyjax encompassed 250,000 messages, 2,500 IP addresses, 500 potential cryptocurrency wallet addresses and thousands of domains and email addresses.
One of two anonymous Twitter accounts that released voluminous amounts of data and chats related to alleged Trickbot botnet members.
What’s not mentioned in the three indictments is that Galochkin’s bentley persona also surfaces related to the Qakbot botnet, also known as QBot. QBot was significantly disrupted by law enforcement in August 2023. QBot emerged in 2007 when cybercriminals were focused on online banking theft. Until its disruption last month, QBot was never the largest botnet, but it was one of the most consistent in the malware distribution scene. It infected hundreds of thousands of computers and was used by a group of long-standing, top-tier and highly vetted cybercrime actors. QBot also distributed ransomware including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta. In the Conti ransomware data leaks, the threat actor tramp asks bentley for assistance in crypting QBot to stop detection by SentinelOne or Symantec Endpoint Protection security software. Crypting is the term for making malware undetectable to antimalware systems. Bentley takes on the crypting job, which the threat actor had already been doing for Conti. This shows the small circles of Russian cybercrime.
It’s unlikely but not impossible that those charged related to the Conti ransomware attacks will face a day in U.S. court. Russia’s constitution prohibits extradition of its citizens. But the actions show the intense pressure that international law enforcement is exerting on veteran players in the Russian cybercrime scene. This action contributes to the multilateral effort dedicated to imposing cost on ransomware actors. Hopefully, it will also serve as a deterrent and impact a long-running cybercriminal ecosystem.