In a collaborative partnership, officials in the United States and the United Kingdom unmasked and imposed financial sanctions against seven members of the notorious Russian gang TrickBot (alias “TrickLoader”), a mainstream banking Trojan turned malware-as-a-service (MaaS) platform for other criminals.
Apart from taking over bank accounts, TrickBot has been instrumental in spreading ransomware across multiple healthcare organizations, and critical infrastructure in the US, especially during the height of the COVID-19 pandemic.
Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement:
> “Cybercriminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”
According to the sanctions notice, in one attack the group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing ambulances to divert.
> “Members of the TrickBot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
TrickBot debuted in 2016 after succeeding Dyreza (alias “Dyre”), another banking Trojan also operated by cybercriminals based in Moscow, Russia. TrickBot has since evolved into “a highly modular malware suite that provides the TrickBot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks”. Among the ransomware strains TrickBot collaborated with was Ryuk, which was then succeeded by or identified as related to the now-defunct Conti ransomware.
Coinciding with the US sanction notice, the UK’s Office of Financial Sanction Implementation (OFSI) released a guidance on ransomware and sanctions. Sanctioning generally has a two-fold effect. On the one hand, people (usually victim organizations of a ransomware attack) are prohibited from making ransom payments to a sanctioned entity (usually the organized ransomware gang behind the attack) as doing so is “a serious criminal offence” with imprisonment and fines. On the other hand, sanctioned entities have their assets frozen and are subjected to a travel ban.
Indeed, sanctions are powerful tools to deter and disrupt behaviors that would otherwise undermine national security. It has as much effect in the digital ecosystem as it has in the real world, yet it continues to be challenged by current technological innovations, such as digital currencies, alternative payment methods, and other ways to keep monetary transactions under the radar. It may not look like it, but the US Treasury asserts “the ultimate goal of sanctions is not to punish but to bring about a positive change in behavior”.
There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.
We don’t just report on threats–we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.