Lucene search

K
malwarebytesMalwarebytes blogMALWAREBYTES:DB0A2C42F5F889BAD10C08C84D6A73DE
HistoryFeb 15, 2023 - 1:00 a.m.

TrickBot gang members sanctioned after pandemic ransomware attacks

2023-02-1501:00:00
Malwarebytes blog
www.malwarebytes.com
12
united states
united kingdom
russian gang
trickbot
ransomware
healthcare organizations
critical infrastructure
covid-19
cybercrime
sanctions
financial
terrorism
russia
malware
maas
banking trojan
international cooperation
minnesota
medical facilities
ambulances
dyreza
moscow
modular malware suite
ryuk
conti
office of financial sanction implementation
digital currencies
alternative payment methods
ransom payments
victim organizations
travel ban
national security
technological innovations
digital ecosystem
hospitals
incident response plan

In a collaborative partnership, officials in the United States and the United Kingdom unmasked and imposed financial sanctions against seven members of the notorious Russian gang TrickBot (alias “TrickLoader”), a mainstream banking Trojan turned malware-as-a-service (MaaS) platform for other criminals.

Apart from taking over bank accounts, TrickBot has been instrumental in spreading ransomware across multiple healthcare organizations, and critical infrastructure in the US, especially during the height of the COVID-19 pandemic.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement:

> “Cybercriminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses, and exploit the international financial system. The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime.”

According to the sanctions notice, in one attack the group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing ambulances to divert.

> “Members of the TrickBot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”

TrickBot debuted in 2016 after succeeding Dyreza (alias “Dyre”), another banking Trojan also operated by cybercriminals based in Moscow, Russia. TrickBot has since evolved into “a highly modular malware suite that provides the TrickBot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks”. Among the ransomware strains TrickBot collaborated with was Ryuk, which was then succeeded by or identified as related to the now-defunct Conti ransomware.

Sanctions

Coinciding with the US sanction notice, the UK’s Office of Financial Sanction Implementation (OFSI) released a guidance on ransomware and sanctions. Sanctioning generally has a two-fold effect. On the one hand, people (usually victim organizations of a ransomware attack) are prohibited from making ransom payments to a sanctioned entity (usually the organized ransomware gang behind the attack) as doing so is “a serious criminal offence” with imprisonment and fines. On the other hand, sanctioned entities have their assets frozen and are subjected to a travel ban.

Indeed, sanctions are powerful tools to deter and disrupt behaviors that would otherwise undermine national security. It has as much effect in the digital ecosystem as it has in the real world, yet it continues to be challenged by current technological innovations, such as digital currencies, alternative payment methods, and other ways to keep monetary transactions under the radar. It may not look like it, but the US Treasury asserts “the ultimate goal of sanctions is not to punish but to bring about a positive change in behavior”.

How to avoid ransomware

There is no doubt hospitals remain under a bullseye, and attackers can strike at any time. Thankfully, there are ways organizations can help reduce their risk of suffering from a ransomware attack.

  • Have an incident response (IR) plan. Organizations should accept the fact that a cyberattack is likely to affect them at some point, whether they're the direct victim or part of a supply chain. An IR plan can direct your responders on what to do in the event of a cybersecurity attack. This should include restoring from backups, client outreach, and reporting to law enforcement among others.
  • Educate your staff. Awareness goes a long way, and everyone in the company has a responsibility to keep the organization’s network safe. Staff should be taught social engineering tactics and red flags of a system attack, so they can alert the right personnel quickly should an attack occur.
  • Patch as soon as you can. Many threat actors get into networks by exploiting unpatched vulnerabilities. Have a patching plan in place to ensure that your organization’s network is protected against the latest and most exploited weaknesses.
  • Backup your files. Backups have saved a lot of organizations after a ransomware attack–provided they work. When you make a plan, ensure you also have provisions for backup testing.
  • Get an EDR solution. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. In fact, we guarantee our Endpoint Detection and Response will stop a ransomware infection on your deployed systems, or we'll refund your annual subscription fee. Try it here.
  • Learn more. If you want to read more about protecting your business from ransomware, take a look at our Ransomware Emergency Kit.

We don’t just report on threats–we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.