Ryuk, Conti ransomware members hit with UK sanctions in latest crackdown

The UK government has issued sanctions against seven Russian cyber criminals over their involvement in ransomware attacks against a range of British businesses and public services.

Believed to be members of once-rampant ransomware organisations Ryuk and Conti, as well as other malware groups linked with the deployment of ransomware such as TrickBot, the cyber criminals' sanctions follow years of concerted efforts from international law enforcement to bring legal penalties to ransomware threat actors.

Part of a coordinated move with US authorities, the sanctions are the first in a wave of penalties against individuals found to have been associated with the development or deployment of ransomware strains, the UK government said.

The joint action follows a “complex, large-scale, and ongoing investigation” led by the National Crime Agency (NCA) which aimed to disrupt cyber criminals targeting organisations on both sides of the Atlantic.

Foreign Secretary James Cleverly said the move sends a “clear signal” to cyber criminals and their associates that they “will be held to account”.

“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates,” he said.

The individuals targeted with sanctions include:

• Vitaliy Kovalev
• Valery Sedletski
• Valentin Karyagin
• Maksim Mikhailov
• Dmitry Pleshevskiy
• Mikhail Iskritskiy
• Ivan Vakhromeyev

NCSC chief executive, Lindy Cameron, said ransomware is one of the key cyber threats facing UK organisations and urged businesses to take all necessary steps to protect themselves in light of growing risks.

“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be,” she said.

“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.”

Who are Ryuk and Conti?

Ryuk was one of yesteryear’s most pervasive strains of ransomware.

Claiming high-profile victims such as the Los Angeles Times, Sopra Steria, as well as hospitals and schools across the US and Europe, the group was able to generate $150 million (£123.1 million) in criminal proceeds during the four years it was used in hackers’ toolkits.

Its largest single-attack payout was a reported 2,200 bitcoins, worth around $34 million (roughly £25 million) at the time.

Ryuk was initially thought to be developed and distributed by threat actors based in North Korea, however, links to Russia slowly started to build as security analysts were able to analyse the locker and its associate payment addresses more deeply.

In 2020 - the third year of it being considered a major strain - security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.

During the same year, the Conti group started to rise to prominence and quickly grew to become the world’s leading ransomware organisation, also with strong links to Russia.

Its two-year tirade on the IT industry culminated in one of the most high-profile ransomware attacks ever recorded.

Costa Rica famously declared a state of emergency after a Conti ransomware attack disrupted many of its government’s systems.

Like Ryuk, Conti was notoriously indiscriminate when it came to targeting victims. The most critical of organisations were included in attacks, including the attack on one Canadian healthcare provider which saw both Conti and Karma ransomware attack it simultaneously.

In the cyber security industry, it is generally accepted that ransomware criminals are expected to continue operating since the business model is so effective.

However, attacks on institutions such as hospitals and other emergency services are considered to be especially heinous given the potential to risk the safety of people’s lives as a result.

Some ransomware organisations openly exclude such organisations from their targeting.

The current leader in the ransomware market, LockBit, recently discovered that one of its affiliates targeted a Candian children’s hospital.

In response, it released the decryptor for free and formally apologised for the incident.

Do arrests work?

Arresting career ransomware criminals is the usual go-to method of legal penalty for international law enforcement agencies and is not a novel phenomenon, but the effectiveness of such acts has been called into question.

The world’s once-leading ransomware group, REvil, known for major attacks such as those on Kaseya, Midea, and Acer, famously had a swathe of its members arrested in 2021 as a result of a coordinated operation between US, EU, and other nations’ law enforcement bodies.

The arrests were seen as a major milestone at the time, but the group has re-emerged numerous times since the takedown and continues to operate to this day.

Due to the nature in which cyber criminals operate, it can be difficult to track every single member of a ransomware organisation.

If some are caught, invariably others often evade law enforcement and ‘go underground’ for a period of time, usually before joining a rival organisation to continue generating money.

The view of law enforcement is that arrests must still continue to happen to dissuade criminals from pursuing a career in cyber crime, but so far it has not proved a significant enough deterrent to end ransomware altogether.