The UK government has issued sanctions against seven Russian cyber criminals over their involvement in ransomware attacks against a range of British businesses and public services.
Believed to be members of once-rampant ransomware organisations Ryuk and Conti, as well as other malware groups linked with the deployment of ransomware such as TrickBot, the cyber criminals' sanctions follow years of concerted efforts from international law enforcement to bring legal penalties to ransomware threat actors.
Part of a coordinated move with US authorities, the sanctions are the first in a wave of penalties against individuals found to have been associated with the development or deployment of ransomware strains, the UK government said.
The joint action follows a “complex, large-scale, and ongoing investigation” led by the National Crime Agency (NCA) which aimed to disrupt cyber criminals targeting organisations on both sides of the Atlantic.
Foreign Secretary James Cleverly said the move sends a “clear signal” to cyber criminals and their associates that they “will be held to account”.
“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates,” he said.
The individuals targeted with sanctions include:
- Vitaliy Kovalev
- Valery Sedletski
- Valentin Karyagin
- Maksim Mikhailov
- Dmitry Pleshevskiy
- Mikhail Iskritskiy
- Ivan Vakhromeyev
NCSC chief executive, Lindy Cameron, said ransomware is one of the key cyber threats facing UK organisations and urged businesses to take all necessary steps to protect themselves in light of growing risks.
“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be,” she said.
“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”
Who are Ryuk and Conti?
Ryuk was one of yesteryear’s most pervasive strains of ransomware.
Claiming high-profile victims such as the Los Angeles Times, Sopra Steria, as well as hospitals and schools across the US and Europe, the group was able to generate $150 million (£123.1 million) in criminal proceeds during the four years it was used in hackers’ toolkits.
Its largest single-attack payout was a reported 2,200 bitcoins, worth around $34 million (roughly £25 million) at the time.
Ryuk was initially thought to be developed and distributed by threat actors based in North Korea, however, links to Russia slowly started to build as security analysts were able to analyse the locker and its associate payment addresses more deeply.
In 2020 - the third year of it being considered a major strain - security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.
During the same year, the Conti group started to rise to prominence and quickly grew to become the world’s leading ransomware organisation, also with strong links to Russia.
Its two-year tirade on the IT industry culminated in one of the most high-profile ransomware attacks ever recorded.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
FREE DOWNLOAD
Costa Rica famously declared a state of emergency after a Conti ransomware attack disrupted many of its government’s systems.
Like Ryuk, Conti was notoriously indiscriminate when it came to targeting victims. The most critical of organisations were included in attacks, including the attack on one Canadian healthcare provider which saw both Conti and Karma ransomware attack it simultaneously.
In the cyber security industry, it is generally accepted that ransomware criminals are expected to continue operating since the business model is so effective.
However, attacks on institutions such as hospitals and other emergency services are considered to be especially heinous given the potential to risk the safety of people’s lives as a result.
Some ransomware organisations openly exclude such organisations from their targeting.
The current leader in the ransomware market, LockBit, recently discovered that one of its affiliates targeted a Candian children’s hospital.
In response, it released the decryptor for free and formally apologised for the incident.
Do arrests work?
Arresting career ransomware criminals is the usual go-to method of legal penalty for international law enforcement agencies and is not a novel phenomenon, but the effectiveness of such acts has been called into question.
The world’s once-leading ransomware group, REvil, known for major attacks such as those on Kaseya, Midea, and Acer, famously had a swathe of its members arrested in 2021 as a result of a coordinated operation between US, EU, and other nations’ law enforcement bodies.
The arrests were seen as a major milestone at the time, but the group has re-emerged numerous times since the takedown and continues to operate to this day.
Due to the nature in which cyber criminals operate, it can be difficult to track every single member of a ransomware organisation.
If some are caught, invariably others often evade law enforcement and ‘go underground’ for a period of time, usually before joining a rival organisation to continue generating money.
The view of law enforcement is that arrests must still continue to happen to dissuade criminals from pursuing a career in cyber crime, but so far it has not proved a significant enough deterrent to end ransomware altogether.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
