The UK government has issued sanctions against seven Russian cyber criminals over their involvement in ransomware attacks against a range of British businesses and public services.
Believed to be members of once-rampant ransomware organisations Ryuk and Conti, as well as other malware groups linked with the deployment of ransomware such as TrickBot, the cyber criminals' sanctions follow years of concerted efforts from international law enforcement to bring legal penalties to ransomware threat actors.
Part of a coordinated move with US authorities, the sanctions are the first in a wave of penalties against individuals found to have been associated with the development or deployment of ransomware strains, the UK government said.
The joint action follows a “complex, large-scale, and ongoing investigation” led by the National Crime Agency (NCA) which aimed to disrupt cyber criminals targeting organisations on both sides of the Atlantic.
Foreign Secretary James Cleverly said the move sends a “clear signal” to cyber criminals and their associates that they “will be held to account”.
“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates,” he said.
The individuals targeted with sanctions include:
- Vitaliy Kovalev
- Valery Sedletski
- Valentin Karyagin
- Maksim Mikhailov
- Dmitry Pleshevskiy
- Mikhail Iskritskiy
- Ivan Vakhromeyev
NCSC chief executive, Lindy Cameron, said ransomware is one of the key cyber threats facing UK organisations and urged businesses to take all necessary steps to protect themselves in light of growing risks.
“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be,” she said.
“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”
Who are Ryuk and Conti?
Ryuk was one of yesteryear’s most pervasive strains of ransomware.
Claiming high-profile victims such as the Los Angeles Times, Sopra Steria, as well as hospitals and schools across the US and Europe, the group was able to generate $150 million (£123.1 million) in criminal proceeds during the four years it was used in hackers’ toolkits.
Its largest single-attack payout was a reported 2,200 bitcoins, worth around $34 million (roughly £25 million) at the time.
Ryuk was initially thought to be developed and distributed by threat actors based in North Korea, however, links to Russia slowly started to build as security analysts were able to analyse the locker and its associate payment addresses more deeply.
In 2020 - the third year of it being considered a major strain - security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.
During the same year, the Conti group started to rise to prominence and quickly grew to become the world’s leading ransomware organisation, also with strong links to Russia.
Its two-year tirade on the IT industry culminated in one of the most high-profile ransomware attacks ever recorded.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
FREE DOWNLOAD
Costa Rica famously declared a state of emergency after a Conti ransomware attack disrupted many of its government’s systems.
Like Ryuk, Conti was notoriously indiscriminate when it came to targeting victims. The most critical of organisations were included in attacks, including the attack on one Canadian healthcare provider which saw both Conti and Karma ransomware attack it simultaneously.
In the cyber security industry, it is generally accepted that ransomware criminals are expected to continue operating since the business model is so effective.
However, attacks on institutions such as hospitals and other emergency services are considered to be especially heinous given the potential to risk the safety of people’s lives as a result.
Some ransomware organisations openly exclude such organisations from their targeting.
The current leader in the ransomware market, LockBit, recently discovered that one of its affiliates targeted a Candian children’s hospital.
In response, it released the decryptor for free and formally apologised for the incident.
Do arrests work?
Arresting career ransomware criminals is the usual go-to method of legal penalty for international law enforcement agencies and is not a novel phenomenon, but the effectiveness of such acts has been called into question.
The world’s once-leading ransomware group, REvil, known for major attacks such as those on Kaseya, Midea, and Acer, famously had a swathe of its members arrested in 2021 as a result of a coordinated operation between US, EU, and other nations’ law enforcement bodies.
The arrests were seen as a major milestone at the time, but the group has re-emerged numerous times since the takedown and continues to operate to this day.
Due to the nature in which cyber criminals operate, it can be difficult to track every single member of a ransomware organisation.
If some are caught, invariably others often evade law enforcement and ‘go underground’ for a period of time, usually before joining a rival organisation to continue generating money.
The view of law enforcement is that arrests must still continue to happen to dissuade criminals from pursuing a career in cyber crime, but so far it has not proved a significant enough deterrent to end ransomware altogether.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reportedNews Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
