The U.S. and the U.K. have sanctioned seven Russian nationals for their alleged involvement in running the infamous TrickBot botnet.

TrickBot dates back to 2016 and has a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot evolved several times over the years.

In 2017 a new version went after niche financial institutions, followed by another new variant in 2018  that targeted cryptocurrency accounts. In 2019 TrickBot targeted email accounts in a phishing campaign and then switched to COVID-19 scams in March 2020. TrickBot was disrupted by Microsoft Corp. in 2020, only to emerge again with a new campaign in July 2021.

TrickBot was taken over by the Conti ransomware gang in February 2022, leading to the sanctions announced today. In March, an unknown member of Conti leaked internal documentation that exposed the group’s inner workings, including those of TrickBot, providing a treasure trove of data for law enforcement officials to dig through.

Notably, although the U.S. Treasury Department release today said the sanctions were imposed on members of TrickBot, the same sanctions are described by the U.K. government as targeting members of Conti. In February 2023, they’re one and the same.

The sanctions include U.S. and U.K. officials seizing all property and interests in any property of the individuals targeted. The U.S. Office of Foreign Assets Control has also imposed a ban on any U.S. citizens or people within the U.S. dealing with the seven sanctioned people.

“Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Under Secretary Brian E. Nelson said. “The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

The seven sanctioned alleged hackers were Vitaliy Kovalev, known online as Bentle; Mikhail Isktritskiy, or Tropa; Valentin Karyagin, or Globus; Maksim Michailov, or Baget; Dmitry Pleshevskiy, or Iseldor; Valery Sedletski, or Strix; and Ivan Vakhromeyev, or Ivanalert/Mushroom.

“These sanctions are a welcome sight, although they may be academic since sanctions already exist,” Timothy Morris, chief security advisor at endpoint management company Tanium Inc., told SiliconANGLE. “What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. These criminal gangs will continue to innovate, build better infrastructure, hire the best developers, employ and develop the best evasion techniques, and work with affiliates that are good at infecting organizations to get the most loot. Those that defend and respond cannot let down their guard.”

Photo: Microsoft