Skip links

US, UK sanction more Russians linked to Trickbot

Alexander Mozhaev, a member of the administrative team, who is also known by the online monikers Green and Rocco.

Also on Thursday, the US Justice Department unsealed three indictments against nine individuals allegedly involved in Trickbot and Conti ransomware infections, including seven of the newly sanctioned individuals.

Federal grand juries in northern Ohio, Tennessee, and southern California approved charges against the suspects including computer hacking, money laundering, and wire fraud.

“The Justice Department has taken action against individuals we allege developed and deployed a dangerous malware scheme used in cyberattacks on American school districts, local governments, and financial institutions,” said US Attorney General Merrick Garland.

“Separately, we have also taken action against individuals we allege are behind one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services. These actions should serve as a warning to cybercriminals who target America’s critical infrastructure that they cannot hide from the United States Department of Justice.”

The Ohio federal indictment [PDF] charges nine people for their alleged roles in developing, deploying, managing, and profiting from Trickbot. If convicted, each defendant faces a maximum of 62 years in prison.

Meanwhile, the Tennessee rap sheet [PDF] charges four men for their alleged roles in using Conti to infect hundreds of victims including the computer systems of a sheriff’s department, a police department, and emergency medical services. If convicted, each of the four face up to 25 years behind bars.

And the third indictment, returned in southern sunny California, charges one man — Galochkin — with three counts of hacking computers and deploying Conti on a Scripps Health hospital. 

The ransomware infection caused the “impairment of the medical examination, diagnosis, treatment, and care of one or more individuals, a threat to public health and safety, and damage affecting 10 or more protected computers during a one-year period,” according to prosecutors [PDF].

Galochkin faces a maximum penalty of 20 years in prison.

Wizard Spider is the OG Russian crew behind the Trickbot malware, along with Conti and Ryuk, though the gang is more commonly known simply as Trickbot. It targets government agencies and private companies.

The Trickbot code was first spotted by security researchers in 2016, and it was a Windows software nasty that evolved from the Dyre banking trojan. Since then, it has grown into an entire malware suite that includes ransomware.

During the height of the COVID-19 pandemic in 2020, the bot’s gang infected three Minnesota medical facilities with ransomware, locking staff out of their computers and phone networks, and forcing ambulances to be diverted to other hospitals.

Trickbot survived an attempted takedown in 2020 before reportedly shutting down its infrastructure in 2022. 

Conti, meanwhile, was used to infect more than 900 victims worldwide, including victims in 47 states, the District of Columbia, Puerto Rico, and 31 foreign countries, we’re told. According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant, so far at least. ®