Ryuk, Conti ransomware members hit with UK sanctions in latest crackdown
The move follows a lengthy joint action between UK and US authorities to crack down on cyber criminal gangs


The UK government has issued sanctions against seven Russian cyber criminals over their involvement in ransomware attacks against a range of British businesses and public services.
Believed to be members of once-rampant ransomware organisations Ryuk and Conti, as well as other malware groups linked with the deployment of ransomware such as TrickBot, the cyber criminals' sanctions follow years of concerted efforts from international law enforcement to bring legal penalties to ransomware threat actors.
Part of a coordinated move with US authorities, the sanctions are the first in a wave of penalties against individuals found to have been associated with the development or deployment of ransomware strains, the UK government said.
The joint action follows a “complex, large-scale, and ongoing investigation” led by the National Crime Agency (NCA) which aimed to disrupt cyber criminals targeting organisations on both sides of the Atlantic.
Foreign Secretary James Cleverly said the move sends a “clear signal” to cyber criminals and their associates that they “will be held to account”.
“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates,” he said.
The individuals targeted with sanctions include:
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
- Vitaliy Kovalev
- Valery Sedletski
- Valentin Karyagin
- Maksim Mikhailov
- Dmitry Pleshevskiy
- Mikhail Iskritskiy
- Ivan Vakhromeyev
NCSC chief executive, Lindy Cameron, said ransomware is one of the key cyber threats facing UK organisations and urged businesses to take all necessary steps to protect themselves in light of growing risks.
“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be,” she said.
“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”
Who are Ryuk and Conti?
Ryuk was one of yesteryear’s most pervasive strains of ransomware.
Claiming high-profile victims such as the Los Angeles Times, Sopra Steria, as well as hospitals and schools across the US and Europe, the group was able to generate $150 million (£123.1 million) in criminal proceeds during the four years it was used in hackers’ toolkits.
Its largest single-attack payout was a reported 2,200 bitcoins, worth around $34 million (roughly £25 million) at the time.
Ryuk was initially thought to be developed and distributed by threat actors based in North Korea, however, links to Russia slowly started to build as security analysts were able to analyse the locker and its associate payment addresses more deeply.
In 2020 - the third year of it being considered a major strain - security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.
During the same year, the Conti group started to rise to prominence and quickly grew to become the world’s leading ransomware organisation, also with strong links to Russia.
Its two-year tirade on the IT industry culminated in one of the most high-profile ransomware attacks ever recorded.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
FREE DOWNLOAD
Costa Rica famously declared a state of emergency after a Conti ransomware attack disrupted many of its government’s systems.
Like Ryuk, Conti was notoriously indiscriminate when it came to targeting victims. The most critical of organisations were included in attacks, including the attack on one Canadian healthcare provider which saw both Conti and Karma ransomware attack it simultaneously.
In the cyber security industry, it is generally accepted that ransomware criminals are expected to continue operating since the business model is so effective.
However, attacks on institutions such as hospitals and other emergency services are considered to be especially heinous given the potential to risk the safety of people’s lives as a result.
Some ransomware organisations openly exclude such organisations from their targeting.
The current leader in the ransomware market, LockBit, recently discovered that one of its affiliates targeted a Candian children’s hospital.
In response, it released the decryptor for free and formally apologised for the incident.
Do arrests work?
Arresting career ransomware criminals is the usual go-to method of legal penalty for international law enforcement agencies and is not a novel phenomenon, but the effectiveness of such acts has been called into question.
The world’s once-leading ransomware group, REvil, known for major attacks such as those on Kaseya, Midea, and Acer, famously had a swathe of its members arrested in 2021 as a result of a coordinated operation between US, EU, and other nations’ law enforcement bodies.
The arrests were seen as a major milestone at the time, but the group has re-emerged numerous times since the takedown and continues to operate to this day.
Due to the nature in which cyber criminals operate, it can be difficult to track every single member of a ransomware organisation.
If some are caught, invariably others often evade law enforcement and ‘go underground’ for a period of time, usually before joining a rival organisation to continue generating money.
The view of law enforcement is that arrests must still continue to happen to dissuade criminals from pursuing a career in cyber crime, but so far it has not proved a significant enough deterrent to end ransomware altogether.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years