IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ryuk, Conti ransomware members hit with UK sanctions in latest crackdown

The move follows a lengthy joint action between UK and US authorities to crack down on cyber criminal gangs

The UK government has issued sanctions against seven Russian cyber criminals over their involvement in ransomware attacks against a range of British businesses and public services.  

Believed to be members of once-rampant ransomware organisations Ryuk and Conti, as well as other malware groups linked with the deployment of ransomware such as TrickBot, the cyber criminals' sanctions follow years of concerted efforts from international law enforcement to bring legal penalties to ransomware threat actors.

Part of a coordinated move with US authorities, the sanctions are the first in a wave of penalties against individuals found to have been associated with the development or deployment of ransomware strains, the UK government said.  

The joint action follows a “complex, large-scale, and ongoing investigation” led by the National Crime Agency (NCA) which aimed to disrupt cyber criminals targeting organisations on both sides of the Atlantic. 

Foreign Secretary James Cleverly said the move sends a “clear signal” to cyber criminals and their associates that they “will be held to account”.  

“These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates,” he said.  

The individuals targeted with sanctions include:  

  • Vitaliy Kovalev 
  • Valery Sedletski 
  • Valentin Karyagin 
  • Maksim Mikhailov 
  • Dmitry Pleshevskiy 
  • Mikhail Iskritskiy 
  • Ivan Vakhromeyev 

NCSC chief executive, Lindy Cameron, said ransomware is one of the key cyber threats facing UK organisations and urged businesses to take all necessary steps to protect themselves in light of growing risks.  

“Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be,” she said.  

“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.” 

Who are Ryuk and Conti?

Ryuk was one of yesteryear’s most pervasive strains of ransomware. 

Claiming high-profile victims such as the Los Angeles Times, Sopra Steria, as well as hospitals and schools across the US and Europe, the group was able to generate $150 million (£123.1 million) in criminal proceeds during the four years it was used in hackers’ toolkits.

Its largest single-attack payout was a reported 2,200 bitcoins, worth around $34 million (roughly £25 million) at the time.

Ryuk was initially thought to be developed and distributed by threat actors based in North Korea, however, links to Russia slowly started to build as security analysts were able to analyse the locker and its associate payment addresses more deeply.

In 2020 - the third year of it being considered a major strain - security firm SonicWall revealed it was behind a third of ransomware attacks worldwide for the year.

During the same year, the Conti group started to rise to prominence and quickly grew to become the world’s leading ransomware organisation, also with strong links to Russia.

Its two-year tirade on the IT industry culminated in one of the most high-profile ransomware attacks ever recorded. 

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

Costa Rica famously declared a state of emergency after a Conti ransomware attack disrupted many of its government’s systems.

Like Ryuk, Conti was notoriously indiscriminate when it came to targeting victims. The most critical of organisations were included in attacks, including the attack on one Canadian healthcare provider which saw both Conti and Karma ransomware attack it simultaneously.

In the cyber security industry, it is generally accepted that ransomware criminals are expected to continue operating since the business model is so effective. 

However, attacks on institutions such as hospitals and other emergency services are considered to be especially heinous given the potential to risk the safety of people’s lives as a result.

Some ransomware organisations openly exclude such organisations from their targeting. 

The current leader in the ransomware market, LockBit, recently discovered that one of its affiliates targeted a Candian children’s hospital.

In response, it released the decryptor for free and formally apologised for the incident.

Do arrests work?

Arresting career ransomware criminals is the usual go-to method of legal penalty for international law enforcement agencies and is not a novel phenomenon, but the effectiveness of such acts has been called into question.

The world’s once-leading ransomware group, REvil, known for major attacks such as those on Kaseya, Midea, and Acer, famously had a swathe of its members arrested in 2021 as a result of a coordinated operation between US, EU, and other nations’ law enforcement bodies.

The arrests were seen as a major milestone at the time, but the group has re-emerged numerous times since the takedown and continues to operate to this day.

Due to the nature in which cyber criminals operate, it can be difficult to track every single member of a ransomware organisation. 

If some are caught, invariably others often evade law enforcement and ‘go underground’ for a period of time, usually before joining a rival organisation to continue generating money.

The view of law enforcement is that arrests must still continue to happen to dissuade criminals from pursuing a career in cyber crime, but so far it has not proved a significant enough deterrent to end ransomware altogether.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download


Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

HMRC lost nearly 50% more devices in 2022

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023