Some recent studies have found that sanctions on Russian hackers are having a notable effect on both ransomware payments and attempts. This theory will undergo some more testing out as seven members of the TrickBot ransomware gang have now received the honor from the United States Office of Foreign Assets Control. The U.K.’s Foreign, Commonwealth, and Development Office is also participating, in a first for the country.
TrickBot has been one of the more prolific cyber crime outfits since it first appeared in 2016, and its longevity may be owed in part to connections to Russian intelligence. The group got its start distributing banking trojans before expanding into working as a ransomware gang, and has already weathered some serious blows including the 2020 disruption of its botnet and the 2021 arrest of two key members.
TrickBot ransomware gang sanctioned under accusations members are associated With Russian intelligence
US officials have proven willing to sanction Russian hackers when they display some connection to the national government or its war efforts, even if that connection is not necessarily reciprocal. In the case of TrickBot, the Treasury Department is indicating that the connection is stronger than usual. A recent statement accused sanctioned members of the ransomware gang of working with the Russian Intelligence Services and aligning with government objectives in its 2020 activities against assorted targets in the US. One of those campaigns also targeted health care facilities in the UK.
The TrickBot group was first named and had attacks attributed to it in 2016, but researchers believe that its members had been using the Dyre trojan (later evolved to become the initial TrickBot malware) to attack banks since 2014. The Russian hackers went on to add numerous forms of cyber theft and data breaches to their arsenal, making a major name for themselves as a ransomware gang in 2020 with a wave of opportunistic attacks against health care facilities in the US and UK during the Covid-19 pandemic.
The Russian hackers that have been sanctioned work in various capacities for TrickBot, ranging from developing its ransomware to laundering its money and managing its communication and command-control servers. The most senior member, Vitaly Kovalev, is accused of hacking US bank accounts independently dating back to at least 2010.
The sanctions deter payments to ransomware gangs by simply making them much more expensive, tacking on a fine that can be substantially more than what the victim pays in ransom. Between that and the usually expensive remediation costs, victims often feel that relying on whatever backup and restoration capacity they have is a better option than attempting to get their files unlocked by the attackers. The sanctioned parties also have a harder time moving and laundering their stolen money.
Though ransomware continues to be a serious (and expensive) threat, Roger Grimes (data-driven defense evangelist at KnowBe4) believes that these sanctions represent a tipping point in the battle against it: “CISA and all their partners (e.g., FBI, DOJ, NSA, business councils, foreign agencies, etc.) got involved. Even the President of the United States got involved. Ransomware finally crossed a bridge too far. The defenders figured out what it would take to mitigate ransomware. It’s really the kitchen sink approach. CISA started better educating everyone about ransomware and putting out notices of the latest attacks and indicators of compromise. We started to go after the money. We started to identify and even sometimes arrest ransomware group members. We started to sanction or threaten to sanction legitimate organizations that allowed ransomware gangs to cash out their ill-gotten gains. Victims started saying no to paying the ransom. After over a decade of most victims…say 40% to 50% of them, usually paying the ransom, today most don’t. And that’s despite the potentially costly consequences, such as private data being publicly published.”
“So, you’ve got law enforcement hot on their trail (even if they can’t be arrested) and it’s harder for them to make money doing what easily worked for over a decade. For the first time in the fight against ransomware, they didn’t just exponentially expand their attacks and profit. Ransomware isn’t gone and might not ever be, but the good guys are in the game fighting back. It isn’t as one-sided as it used to be. And we need to recognize that CISA and the U.S. government did this. It isn’t often that you can point to a government and say they made a difference in cybersecurity, but this is one of those times and I’m glad we have CISA in the fight,” noted Grimes
Sanctions becoming a potent deterrent for Russian hackers, but application conditions are limited
Just the possibility of sanctions appears to be having an impact on Russian hackers; the Conti group, which was the biggest ransomware gang going into 2022, looks to have folded under the prospect after its internal group chats were leaked and the group could be tied to support of Russia’s invasion of Ukraine.
But the Conti case, as well as the current TrickBot development, also illustrate the limitations of sanctions. One is that they can restrict the international movement of subjects, but cannot facilitate arrests if they stay in a country that tolerates them such as Russia. Another related element is that the hackers do not go out of business, but usually just go underground for a short period before emerging with a new criminal brand. The Conti hackers are thought to have scattered to any number of other operations after the group broke up, including possibly getting involved with TrickBot.
The sanctions may also not be enough to polish off TrickBot, which has proven more resilient than most ransomware gangs. The group already has considerable experience with direct theft from banks and corporations, actions that don’t involve soliciting payments from victims. It appeared to recover from the law enforcement disruption of its botnet in 2020, as it did from the 2021 arrests of two key figures involved in running it. It is possible the group could cease acting as a ransomware gang as a result of sanctions, but it is extremely improbable it will cease all criminal activities. As Timothy Morris, Chief Security Advisor at Tanium, observes: “These criminal gangs will continue to innovate, build better infrastructure, hire the best developers, employ and develop the best evasion techniques, and work with affiliates that are good at infecting organizations to get the most loot. Those that defend and respond cannot let down their guard.”
The actions against the Russian hackers were likely informed by a similar leak that TrickBot experienced in early 2022, not long after the Conti leak was published. That leak included messages from 35 of the group’s members, some of which were communicating with members of Russia’s FSB and expressed interest in attacking targets in Ukraine. The leak also provided insight into the group’s internal architecture, including personal information and hundreds of crypto wallet addresses used to move money around.
Research from Intel 471 Threat Research Team indicates that TrickBot may be going into retirement, but that the Russian hackers involved have shifted to using Emotet instead: “We’ve not seen any TrickBot activity since the Feb 2022 blog post. It is highly likely that TrickBot won’t be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project … The TrickBot gang cut their losses and chose Emotet to replace it.”