US indicts 9 Russians behind Trickbot malware
- The cybercrime group used ransomware to attack hundreds of targets internationally, particularly hospitals amid the Covid-19 pandemic
- The operation reaped at least US$180 million worldwide, according to Britain’s National Crime Agency
The United States announced indictments on Thursday of nine Russians allegedly part of the Trickbot cybercrime group which plied ransomware schemes to extort businesses including hospitals during the Covid-19 pandemic.
The nine, some of whom were alleged to have links to Russian intelligence services, were named in a series of indictments in Ohio, Tennessee and California, where a number of their extortion targets were located.
In parallel, the US Treasury and the State Department, along with British authorities, placed the nine alleged hackers and two others on their sanctions blacklists.
The indictments said the Trickbot group deployed malware and an associated ransomware program called Conti to attack hundreds of targets across nearly all of the United States and in more than 30 other countries since 2016.
The malware was also used to steal bank account logins and passwords from victims’ computers to drain money from the accounts.
According to Britain’s National Crime Agency, the operation reaped at least US$180 million worldwide, including £27 million (US$33.7 million) from British targets.
The group particularly targeted hospitals and healthcare services from 2020 to 2021, authorities said.
They would invade a computer system and encrypt all the data, demanding hundreds of thousands or even millions of dollars in each case, paid in cryptocurrency, to free up the systems.
In one example, the group used ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones and causing a diversion of ambulances, US officials said.
“Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which ransoms had been paid to the group,” according to a Treasury statement.
In July 2020, an attack hit a local government in a Tennessee town, locking down local emergency medical services and the police department. A May 2021 virtual incursion against a California hospital network, Scripps Health, locked up the computers of some 24 acute-care and outpatient facilities.
Scripps later said the cyberattack cost it tens of millions of dollars, including lost revenue and the costs of a lawsuit charging it did not adequately protect patient records.
The nine include Andrey Zhuykov, identified as the senior administrator of Trickbot’s operations, as well as coders, testers, a Trickbot “human resources manager” and a finance manager. They face multiple charges of conspiracy and fraud. All remain at-large.
The case was built on top of two previous indictments of Trickbot operatives.
Russian national Vladimir Dunaev, an alleged malware developer, was extradited to the United States from South Korea in 2021.
The second, Latvian Alla Witte, pleaded guilty to conspiracy to commit computer fraud in Ohio in June after being extradited from Suriname, where she helped write code for Trickbot and laundered proceeds from the ransomware.