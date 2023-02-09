Seven Russian citizens have had their assets frozen and travel bans imposed.

Ransomware is a top-tier national security threat, with attacks against businesses and public sector organizations increasingly common. Recent victims include UK schools, local authorities and firms, while internationally the Irish Health Service Executive, the Costa Rican government and US healthcare providers were targeted.

The new concerted action campaign is being coordinated with the US, after 149 British victims of ransomware known as Conti and Ryuk were identified by the NCA.

Seven Russian cybercriminals have today (Thursday 9 February) been sanctioned by the UK and US in the first wave of new coordinated action against international cybercrime. These individuals have been linked to the development or deployment of a variety of ransomware that have targeted the UK and US.

Foreign Secretary James Cleverly said:

By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held accountable. These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organized crime, whatever its form and wherever it originates.

Ransomware criminals specifically target the systems of organizations they judge will pay them more money and time their attacks to cause maximum damage, including targeting hospitals in the midst of a pandemic.

Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of: Trickbot, Anchor, BazarLoader, BazarBackdoor as well as Conti and Diavol ransomware variants. They are also involved in deploying the Ryuk ransomware.

Ransomware strains known as Conti and Ryuk affected 149 individuals and businesses in the UK. ransomware was responsible for extracting at least around 27 million. There were 104 victims in the UK of the Conti type paying approximately 10 million and 45 victims of the Ryuk type paying approximately 17 million.

Conti was behind attacks targeting hospitals, schools, businesses and local authorities, including the Scottish Environment Protection Agency. The group behind Conti extorted $180 million in ransomware in 2021 alone, according to research from Chainalysis.

Conti was one of the first cybercrime groups to support the Russian war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion.

Although the ransomware group responsible for Conti was disbanded in May 2022, reports suggest that members of the group continue to be involved in some of the most notorious new types of ransomware that dominate and threaten UK security.

Security Minister Tom Tugendhat said:

They were targeting cybercriminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, injured many people and ended lives, at great expense to taxpayers. Cybercrime knows no borders and threatens our national security. These sanctions identify and expose those responsible.

A wide range of organizations have been targeted by ransomware criminals, including at least ten schools and universities in the UK, as well as hospitals, a forensic laboratory and local authorities. Costa Rica’s government was also targeted last year.

Ireland’s Health Service Executive was targeted by ransomware actors during the Covid pandemic, leading to disruption of blood tests, X-rays, CT scans, radiotherapy and chemotherapy appointments for 10 days.

Another recent ransomware attack involved Harrogate-based shipping and cold storage firm Reed Boardall, whose IT systems were under attack for nearly a week in 2021.

These sanctions follow a complex, large-scale and ongoing investigation led by the NCA, which will continue to pursue all investigative lines of inquiry to disrupt the ransomware threat to the UK in collaboration with partners.

Director General of the National Crime Agency, Graeme Biggar, said:

This is a hugely important moment for the UK and our collaborative efforts with the US to deter international cybercriminals. The sanctions are the first of their kind for the UK and signal the ongoing campaign to target those responsible for some of the most sophisticated and damaging ransomware affecting the UK and our allies. They show that these criminals and those who support them are not immune to UK action, and this is just one tool we will use to tackle this threat and protect the public. This is an excellent example of the dedication and expertise of the NCA team, who have worked closely with partners on this complex investigation. We will continue to use our unique capabilities to expose cybercriminals and work together with our international partners to hold those responsible accountable, wherever they are in the world.

UK and US authorities will continue to expose these cybercriminals and crack down on their activities. This announcement of sanctions against seven individuals marks the start of a coordinated campaign of action against ransomware actors led by the UK and the US.

The National Cyber ​​Security Center (NCSC), part of GCHQ, has assessed that:

It is almost certain that the Conti group was primarily financially motivated and chose their targets based on the perceived value they could extort from them.

Key members of the group most likely have ties to the Russian Intelligence Services from which they likely received assignments. The targeting of some organizations, such as the International Olympic Committee, by the group almost certainly aligns with the objectives of the Russian state.

The group most likely evolved from earlier organized cybercrime groups and likely has extensive ties to other cybercriminals, notably EvilCorp and those responsible for the Ryuk ransomware.

NCSC CEO Lindy Cameron said:

Ransomware is the most acute cyber threat facing the UK and attacks by criminal groups show just how devastating its impact can be. NCSC is working with partners to combat ransomware attacks and those responsible, helping to prevent incidents and improve our collective resilience. It is vital that organizations take immediate steps to limit their risk by following the NCSC’s advice on how to deploy robust defenses to protect their networks.

Victims of ransomware attacks should use UK governments Cyber ​​incident reporting site as soon as possible after an attack.

Today, the UK’s Office for the Enforcement of Financial Sanctions (OFSI) is also publishing new public guidance outlining the implications of these new sanctions in ransomware cases. This guide is available here

The individuals designated today are: Vitaliy Kovalev, Valery Sedletski, Valentin Karyagin, Maksim Mikhailov, Dmitry Pleshevskiy, Mikhail Iskritskiy and Ivan Vakhromeyev.

Making funds available to individuals as payment for ransomware, including crypto assets, is prohibited under these sanctions. Organizations must have or deploy robust cyber security and incident management systems to prevent and manage serious cyber incidents.