The British and American authorities are continuing their strategy of “name and shame” (“name and shame”) targeting cybercriminals and revealed, Thursday September 7, a list of eleven suspected people to participate in one of the largest Russian cybercriminal groups in recent years, often called Trickbot or Conti, after the name of the operations that made it famous.
This group, which probably operates largely from Russian territory where it has even been suspected of renting physical offices, has become in a few years a real piracy SME. He is mainly known for two operations. The first, Trickbot, was initially a banking Trojan, that is to say a tool used to infect computers and steal banking credentials then used or resold on the black market. Subsequently, Trickbot became a veritable toolkit used to infect large numbers of computers and possibly install other malware on them. In less than ten years, Trickbot has established itself as a major threat.
More recently, Conti is the name of ransomware used to encrypt the files of one or more computers on a computer network in order to render the machines unusable. A ransom is then demanded from victims, who must pay to obtain the decryption key and recover their data. Until 2022, the group was one of the most active and effective in the small ransomware sector: it is notably known for a major attack against the Irish health services in 2021.
A major data leak
This small cybercrime company suffered a hard blow at the start of the war in Ukraine with the disclosure by an undercover researcher of tens of thousands of lines of internal conversations between some of its members. The “Conti Leaks” revealed the daily functioning of this group of pirates, all identified by pseudonyms.
On Thursday, the British and American authorities came to put names and surnames to these aliases, announcing sanctions and bans on entering the territory for eleven people suspected of participation in the activities of Conti or Trickbot. Among them, we find in particular “Buza”, identified as Maksim Rudenskiy and suspected of being one of the heads of the technical team of the Trickbot network. “Mango”, believed to actually be called Mikhail Tsarev, was also widely present in the “Conti Leaks”. He allegedly operated the human resources activities of the cybercriminal group. According to the United Kingdom authorities, Andrey Zhuykov, known among others by the pseudonyms “Defender” and “Adam”, was the “a central player in the group and [un] high-ranking administrator ».
The British government statement also claims that the group “maintained links and received instructions from Russian intelligence services”. Already in 2022, in certain conversations present in Conti Leaks, one of its members explained having been approached by the Russian authorities, who had asked him for help in spying on an investigative journalist working on the opponent Alexei Navalny.
For their part, the American judicial authorities have issued three indictments targeting the alleged operators of Conti and Trickbot, in line with the deterrence strategy put in place by the United States. Knowing that these cybercriminals, who often operate behind Russian borders, are rarely arrested, the American authorities very regularly publish indictments in order to put pressure on Russia, accused of turning a blind eye to their activities. At the same time, they show those responsible for ransomware attacks that they can be identified and directly targeted by justice.