The UK and US governments have imposed fresh sanctions, including asset freezes and travel bans, on 11 alleged members of the Russian cyber criminal operation behind the Conti ransomware attacks, which struck critical national infrastructure, including hospitals, during the Covid-19 pandemic, before imploding after an internal blow-up over its support for Russia’s criminal war on Ukraine.
According to the UK’s National Crime Agency (NCA), Conti extorted at least $180m from victims globally, including at least £27m from almost 100 UK organisations, including hospitals, schools and local authorities.
The gang operated beyond the reach of traditional law enforcement and effectively under the protection of the Russian government, hiding online behind a variety of pseudonyms as they conducted their criminal campaigns. Many of those named today held significant roles within the operation, including high-level managers, administrators and recruitment specialists.
This marks the second round of sanctions handed down against the gang this year, bringing the total number of gang members identified and named publicly to 18. At the same time, the US Department of Justice (DoJ) is today unsealing criminal indictments against seven of the newly designated individuals.
Both the UK and US governments know full well there is little to no chance of any of the gang members facing justice, but the logic behind exposing actors behind ransomware campaigns holds that removing their cloak of anonymity will help to disrupt future cyber criminal activity by undermining their integrity and that of other criminal “enterprises” that threaten organisations in the UK and other countries.
“These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice” Rob Jones, NCA
“These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims,” said foreign secretary James Cleverly.
“Our sanctions show they cannot act with impunity. We know who they are and what they are doing. By exposing their identities, we are disrupting their business models and making it harder for them to target our people, our businesses and our institutions.”
US under-secretary of the Treasury Brian Nelson added: “The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure. In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”
NCA operations director general Rob Jones added: “These sanctions are a continuation of our campaign against international cyber criminals. Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses.
“These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.”
The 11 men named today are:
- Andrey Zhuykov, a key figure and senior gang admin who goes by the aliases Defender, Dif and Adam.
- Maksim Galochkin, who led development, supervision and tests under the names Bentley, Volhvb and Max17.
- Maksim Rudenskiy, lead coder of the Trickbot trojan that was used to deploy both the Conti and Ryuk ransomwares. He goes by Buza, Silver and Binman.
- Mikhail Tsarev, a middle manager who ran finance and HR. He uses the aliases Mango, Fr*ances and Khano.
- Dmitry Putilin, who procured infrastructure to run Trickbot, and is known by the online monikers Grad and Staff.
- Maksim Khaliullin, another HR drone who was also associated with the purchase of Trickbot infrastructure, including virtual private servers. His handle is Kagas.
- Sergey Loguntsov, a developer, known by the aliases Begemot, Begemot_Sun and Zulas.
- Alexander Mozhaev, an administrator who used the handles Green and Rocco.
- Vadym Valiakhmetov, a coder on backdoor and loader projects. His handles include Weldon, Mentos and Vasm.
- Artem Kurov, another coder who worked on Trickbot group under the handle Naned.
- Mikhail Chernov, part of the internal utilities group. He is known variously as Bullet and m2686.
Getting on top of the issue
Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC), said that in the wake of the latest round of sanctions, organisations should seize the opportunity to do more to proactively obstruct ransomware gangs by bolstering their online resilience.
“Ransomware continues to be a significant threat facing the UK, and attacks can have significant and far-reaching impact,” she said. “The NCSC has published free and actionable advice for organisations of all sizes on how to put robust defences in place to protect their networks.”