Russian cybercriminals behind a notorious ransomware gang that persistently targeted UK victims – including the Scottish Environment Protection Agency – have been named by the National Crime Agency following a lengthy investigation.

Seven members of a dark web cyber cartel which controlled the Conti, Ryuk and Trickbot ransomware and malware strains were officially sanctioned by authorities in the UK and the US.

They are believed to be responsible for a cybercrime wave that targeted websites around the world, extorting at least £27m from 149 UK victims, including hospitals, schools, businesses and local authorities, although their true impact is likely to be much higher.

The sanctions, which are being announced today by the the Foreign Office alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), form part of a concerted campaign by the UK and the US to tackle international cybercrime.

They follow a lengthy investigation by the NCA into the crime group behind Trickbot malware, as well as the Conti and RYUK ransomware strains, among others.

Those identified and sanctioned are:

  • Vitaliy Kovalev (historical use of AKA Ben and AKA Bentley)
  • Valery Sedletski (AKA Strix – pictured, top middle)
  • Valentin Karyagin (AKA Globus – pictured, bottom right)
  • Maksim Mikhailov (AKA Baget – pictured, bottom left)
  • Dmitry Pleshevskiy (AKA Iseldor – pictured, top right)
  • Mikhail Iskritskiy (AKA Tropa – pictured, bottom middle)
  • Ivan Vakhromeyev (AKA Mushroom – pictured, top left)

NCA Director General Graeme Biggar said: “This is a hugely significant moment for the UK and our collaborative efforts with OFAC to disrupt international cybercriminals. 

“The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.

“This is an excellent example of the dedication and expertise of the NCA team who have worked closely with partners on this complex investigation. We will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.”

Ransomware is regarded by UK law enforcement as ‘a tier one national security threat’, with attacks continuing to increase in scale and complexity. The criminals behind ransomware attacks specifically target the systems of organisations they judge will pay them the most money and time their attacks to cause maximum damage, including targeting hospitals in the middle of the pandemic. They frequently use what is referred to as a ‘double extortion’ method, whereby they not only prevent an organisation from regaining access to their network but they threaten to publish an organisation’s stolen data on the dark web to act as leverage to force payment.

In SEPA’s case, the tactic failed but the outage caused significant disruption and led to the organisation having to rebuild its systems from scratch.

Although the Conti group disbanded last year, reporting suggests its members, including those sanctioned, continue to be involved in some of the most notorious new ransomware strains that dominate and threaten UK security. 

The seven cybercriminals are now subject to travel bans and asset freezes, and are severely restricted in their use of the global financial system. However, there is no extradition treaty with Russia and efforts to bring them to justice routinely fail, despite high-level political pressure.

Foreign Secretary James Cleverly said: “By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account. 

“These cynical cyberattacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.”

An indictment was unsealed today in the US District Court for the District of New Jersey charging one of the individuals, Vitaliy Kovalev, with conspiracy to commit bank fraud and eight counts of bank fraud in connection with a series of intrusions into victim bank accounts held at various US-based financial institutions that occurred in 2009 and 2010. This alleged offending predates that of the Conti group.

According to research from Chainalysis, the group extorted $180 million from global ransomware victims in 2021 alone.

Recent victims in the UK include the Scottish Environment Protection Agency and Glasgow-based social and homelessness care organisation Aspire. The food distribution firm Reed Boardall, Redcar and Cleveland Council, and forensic laboratory Eurofins, were also hit, as was famous London diamond merchant Graff, which reportedly paid $7.5m in bitcoin to the gang to prevent further publication of its data.

Internationally the Irish Health Service Executive, Costa Rican Government and American healthcare providers were also targeted.

Security Minister Tom Tugendhat said: “We’re targeting cybercriminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, hurt many and disrupted lives, at great expense to the taxpayer. 

“Cybercrime knows no boundaries and threatens our national security. These sanctions identify and expose those responsible.” 

Security agencies say the Russian state provides a ‘permissive environment’ for ransomware actors to operate by neglecting their responsibility to investigate and disrupt such groups and, in some instances, by actively supporting these groups in their criminal endeavours.

The National Cyber Security Centre (NCSC) assessed that key members of the Conti group highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking.

The group was one of the first cybercrime groups to back Russia’s war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion. 

Lindy Cameron, CEO of the NCSC, said: “Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be. 

“The NCSC is working with partners to bear down on ransomware attacks and those responsible, helping to prevent incidents and improve our collective resilience. 

“It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.