



US imposes sanctions on subsidiaries of group responsible for ransomware attacks against US financial sector

WASHINGTON Today, the United States named two individuals affiliated with the Russia-based ransomware group LockBit. This action is the first in an ongoing collaborative effort with the U.S. Department of Justice, the Federal Bureau of Investigation, and our international partners targeting LockBit.

The United States will not tolerate attempts to extort and steal from our citizens and institutions, said Deputy Treasury Secretary Wally Adeyemo. We will continue our whole-of-government approach to defending against malicious cyber activity and use all available tools to hold accountable the actors who enable these threats.

Russia continues to provide a safe haven for cybercriminals, where groups such as LockBit are free to launch ransomware attacks against the United States and its allies and partners. These ransomware attacks have targeted critical infrastructure, including hospitals, schools and financial institutions. Notably, LockBit was responsible for the November 2023 ransomware attack against the American broker Industrial and Commercial Bank of China (ICBC). The United States is a global leader in the fight against cybercrime and is committed to using all available authorities and tools to defend Americans against cyber threats. In addition to the actions announced today, the U.S. government is providing critical resources to help potential victims protect against and respond to ransomware attacks. For example, last year the Cybersecurity & Infrastructure Security Agency, in collaboration with other U.S. departments and agencies and foreign partners, issued two cybersecurity advisories, Understanding Ransomware Threat Actors: LockBit and LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability. These advisories detail the threats posed by this group and provide recommendations to reduce the likelihood and impact of future ransomware incidents.

This action follows other recent actions taken by the United States against Russian cybercriminals, including the recent trilateral designation of Alexander Ermakov, a Russian national involved in the 2022 ransomware attack against Medibank Private Limited, in coordination with Australia and the United Kingdom and the bilateral sanctions of last year. actions against cybercrime group Trickbot with the UK. Russia has enabled ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has already stressed that Russia must take concrete measures to prevent cybercriminals from operating freely on its territory. Today's actions reflect the United States' commitment to combating cybercrime and pursuing bad actors who target victims in the United States, its allies, and partners.

LOCKBIT: A MALICIOUS RUSSIAN RANSOMWARE GROUP

LockBit is a Russia-based ransomware group first observed in 2019 and best known for its ransomware variant of the same name. LockBit operates on a Ransomware-as-a-Service (RaaS) model, in which the group licenses its ransomware to affiliated cybercriminals in exchange for a percentage of the ransoms paid. LockBit is known for its double extortion tactics, where its cybercriminals exfiltrate large amounts of data from its victims before encrypting the victims' computer systems and demanding ransom payment. LockBit was the most deployed ransomware variant globally in 2022 and remains prolific today.

OFAC investigation identified LockBit as responsible for the ransomware attack against ICBC, which occurred on November 9, 2023. The ransomware attack disrupted ICBC's US broker, affecting the settlement of more than 9 billion dollars of assets backed by Treasury securities. The ransomware attack caused an outage of ICBC's IT systems, leading to a loss of email and communications. ICBC's inability to access its systems resulted in securities being delivered for settlement without funds to support the transactions.

OFAC TARGETS AFFILIATES OF THE LOCKBIT RANSOMWARE GROUP

Ivan Gennadievich Kondratiev, a Russian national residing in Novomokovsk, Russia, is a LockBit Affiliate and head of LockBit's affiliated subgroup, the National Hazard Society. Kondratiev is commonly known in the cybercriminal world as Bassterlord and Fisheye, and he also has ties to the ransomware groups REvil, RansomEXX, and Avaddon. Kondratiev actively engaged in LockBit ransomware attacks.

Artur Sungatov, a Russian national, is an affiliate of the Lockbit ransomware group and actively participated in the LockBit ransomware attacks.

OFAC designates each of these individuals pursuant to Executive Order (EO) 13694, as amended by EO 13757, to be responsible for or complicit in, or to have engaged in, directly or indirectly, an activity described in subparagraph ( a)(ii). (D) of section 1 of EO 13694, as amended.

IMPLICATIONS OF SANCTIONS

As a result of today's action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, all entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons, are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempted, OFAC regulations generally prohibit all transactions by U.S. persons or within (or in transit) of the United States that involve property or interests in property of designated or otherwise blocked persons. , individuals who engage in certain transactions with today's designated individuals may themselves be exposed to designation.

OFAC's sanctions power and integrity derive not only from its ability to designate and add individuals to the Specially Designated Nationals and Blocked Persons (SDN) list, but also from its willingness to remove individuals from the SDN list in accordance with the law. The ultimate goal of sanctions is not to punish but to bring about positive change in behavior. For more information regarding the process of requesting removal from an OFAC list, including the SDN list, please refer to OFAC Frequently Asked Questions 897 here. For detailed information on the process of submitting a request to remove an OFAC sanctions list, please click here.

See OFAC's updated advisory on the potential risk of sanctions for facilitating ransomware payments for information on actions that OFAC would consider mitigating factors in any related enforcement action involving ransomware payments with a potential risk of sanctions. For more information on compliance with virtual currency sanctions, see OFAC's Sanctions Compliance Guide for the Virtual Currency Industry.

For more information on today's nominees, click here.

###

