The United States and United Kingdom have placed joint sanctions on key members of the TrickBot ransomware gang, in a move that some security analysts believe could put a final nail in the coffin of the group. Seven Russian hackers operating in various roles in the group have been named, and though they will likely remain free if they stay in Russia they will have a great deal of trouble moving money internationally.
The move will also likely dissuade victims from paying ransom demands, something that has stymied other major ransomware gangs in the past year. The downside to all this is that the members will likely form up again under another name, just as refugees from other ransomware groups are thought to have joined TrickBot.
Sanctions appear to cool activity by Russian hackers
While sanctions do not put Russian hackers out of business entirely, they appear to have a dampening effect on their activities as they disrupt regular operations and force them to reorganize with fewer payment processing options available. Other major ransomware gangs, such as Conti, have disbanded merely at the prospect of being hit with them.
The Russian hackers are unlikely to quit cyber crime and get legitimate jobs, but once they are “marked” in this way they could drag down the other ransomware gangs that they scatter to if they are identified as members. TrickBot is something of an unusual case in that the group has a long history of other cyber crimes prior to becoming a ransomware gang, and the Treasury Department says that it has connections to Russian intelligence services (the basis for the sanctions), so it may not go away immediately. However, security researchers say that its activity has virtually ceased in February and that the group is believed to be shifting to using the Emotet malware.
Ransomware gang may have coordinated with FSB
The first indication that the ransomware gang was working with Russian intelligence came from leaked internal chats in March 2022, showing certain members communicating with the FSB. TrickBot has been attacking targets all over the world since at least 2016, but the Russian hackers raised the greatest amount of ire when they focused on health care facilities in the US and UK during the height of the coronavirus pandemic in 2020.
The assortment of Russian hackers that were sanctioned play various roles in TrickBot’s operations, such as developing the ransomware gang’s malware and maintaining its servers. Some security analysts see this as a sign that increasing pressure of this sort will be put on major ransomware gangs, via a combination of sanctions and coordinated international law enforcement efforts. There is certainly a fair argument to be made for this given how ransomware (and general cyber crime) have spiked during the pandemic period, but it puts increasing pressure on organizations to ensure that they have adequate backup systems in place and are committed to good security hygiene.