The UK government has sanctioned seven Russian cyber criminals associated with the Conti and Ryuk ransomware operations, freezing their assets and imposing travel bans, in a coordinated action with the US authorities.
The seven men, named today as Vitaliy Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev, were found to be associated with the development and deployment of Conti, Diavol and Ryuk, as well as various malwares including Trickbot, Anchor, BazarLoader and BazarBackdoor.
Over time, the group bore various monikers assigned to it by security researchers, including Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot.
During their cyber crime spree, they extorted an estimated £27m from 149 known victims in the UK – including hospitals, schools, businesses and local authorities. Famously, the cartel was behind the attack on Ireland’s Health Service Executive in the spring of 2021. It also hit organisations including the Scottish Environmental Protection Agency and fashion retailer FatFace.
The group disbanded in 2022 after it backed Russia’s attack on Ukraine, leading to a series of damaging leaks by Ukraine-supporting operatives, but according to the National Cyber Security Centre, its members have almost certainly moved on and are now associated with other currently active ransomware operations. The agency also believes those sanctioned today may have links, and have likely received tasking, from the Russian intelligence services.
“By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” said foreign secretary James Cleverly.
“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.”
Graeme Biggar, director of the National Crime Agency (NCA), which identified the gang’s British victims and led the investigation, added: “This is a hugely significant moment for the UK and our collaborative efforts with the US to disrupt international cyber criminals.
“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.
“This is an excellent example of the dedication and expertise of the NCA team who have worked closely with partners on this complex investigation,” said Biggar. “We will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.”
The NCA is continuing to pursue other investigative lines of inquiry to further disrupt the ransomware threat to British organisations, and today’s announcement marks the start of a joint campaign of coordinated action against ransomware actors being run alongside US partners.
It is, however, unlikely that any of the seven men involved will ever face justice in the West – Russia does not allow its citizens to be extradited and, given the current geopolitical climate, the chances of Moscow’s cooperation at any level are effectively zero. However, as is usual when governments take this sort of action, it is hoped the act of naming them will cause them considerable inconvenience, removing their ability to operate anonymously and highlighting the corruption and criminal links endemic in the Russian intelligence services.
Don Smith, vice-president of threat research at the Secureworks Counter Threat Unit, has been tracking Conti in its various guises for a long time.
“These sanctions represent positive, coordinated steps in the global fight against ransomware,” Smith told Computer Weekly.
“By targeting the specific named individuals in the sanctions today, [they] give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals, while avoiding criminalising and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions,” he said.
At the same time, the UK Office of Financial Sanctions Implementation has published new public guidance to better explain the implications of sanctions against ransomware operators. Similar to how other sanctions work, making funds available to any of the named individuals through ransomware payments now becomes prohibited.