11 alleged Conti criminals hit with UK and US sanctions

8 Sep 2023

Image: © RareStock/Stock.adobe.com

The notorious Conti ransomware gang is believed to be responsible for extorting at least $180m globally and was behind the HSE cyberattack in 2021.

UK and US authorities have issued sanctions on 11 individuals who are allegedly part of a cybercriminal gang that use Trickbot and Conti malware.

The 11 individuals have been hit with asset freezes and travel bans in a coordinated effort to counter the threat of ransomware, according to UK officials. The country’s National Crime Agency (NCA) assesses that this group was responsible for extorting at least $180m from victims globally.

The gang is believed to be based in Russia, with UK officials claiming that the group supported Russia’s invasion of Ukraine and received tasks from Russian intelligence services.

“Attacks by this ransomware group have caused significant damage to our businesses and ruined livelihoods, with victims having to deal with the prolonged impact of financial and data losses,” said NCA director general of operations Rob Jones.

“These criminals thought they were untouchable, but our message is clear: we know who you are and, working with our partners, we will not stop in our efforts to bring you to justice.”

Conti and Trickbot

Conti is a notorious form of ‘double-extortion’ ransomware, which means that – as well as holding access to systems to ransom – the malware might also steal information stored on the system and encrypt it. Hackers can then threaten to release this private information online if a payment is not made.

Reports suggest the ransomware first appeared between late 2019 and early 2020, after which it became notorious for attacks on critical infrastructure worldwide.

This is the same ransomware that was behind Ireland’s massive Health Service Executive (HSE) cyberattack in 2021, which impacted much of the country’s health services.

The cybercriminals behind the attack are commonly known as the Conti ransomware gang, though reports have also referred to them as Wizard Spider.

The Conti ransomware was also used to wage a large ransomware assault on Costa Rica last year, which was described as a “war” by the country’s president Rodrigo Chaves. Last month, Chaves claimed the country has recovered from the massive cyberattack with stronger cyber defences, The Record reports.

Trickbot is an older form of malware, a trojan virus that was first identified in 2016, according to US officials. It is believed that Trickbot was an evolution of an earlier form of trojan known as Dyre.

“The Trickbot trojan infected millions of victim computers worldwide, including those of US businesses and individuals,” the US treasury department said. “It has since evolved into a highly modular malware suite that provides the Trickbot group the ability to conduct a variety of malicious cyber activities, including ransomware.”

Last year, experts speaking to SecurityWeek claimed the development team of Trickbot was “acquired” by the Conti ransomware gang by the end of 2021.

This is not the first push authorities have made in trying to stop the criminals behind the Conti ransomware gang. In August 2022, the US Department of State announced a $10m reward for any information on five individuals who were believed to be high-ranking members of the Conti gang.

It is unclear how the Conti gang members currently operate, as reports last year suggested that the gang split up and joined smaller ransomware operations.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic