UK and US Sanction 11 Members of the Russia-Based TrickBot Gang

Cyber Security Threat Summary:
The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)” (Security Affairs, 2023).

The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

Below is the list of sanctioned individuals:

  • Andrey Zhuykov was a central actor in the group and acted as a senior administrator. Andrey Zhuykov is also known by the online monikers Dif and Defender.
  • Maksim Galochkin led a group of testers, with responsibilities for development, supervision, and implementation of tests. Maksim Galochkin is also known by the online monikers Bentley, Crypt, and Volhvb.
  • Maksim Rudenskiy was a key member of the Trickbot group and the team lead for coders.
  • Mikhail Tsarev was a manager with the group, overseeing human resources and finance. He was responsible for management and bookkeeping. Mikhail Tsarev is also known by the monikers Mango, Alexander Grachev, Super Misha, Ivanov Mixail, Misha Krutysha, and Nikita Andreevich Tsarev.
  • Dmitry Putilin was associated with the purchase of Trickbot infrastructure. Dmitry Putilin is also known by the online monikers Grad and Staff.
  • Maksim Khaliullin was an HR manager for the group. He was associated with the purchase of Trickbot infrastructure including procuring Virtual Private Servers. Maksim Khaliullin is also known by the online moniker Kagas.
  • Sergey Loguntsov was a developer for the Trickbot group.
  • Vadym Valiakhmetov worked as a coder for the Trickbot group and is known by the online monikers Weldon, Mentos, and Vasm.
  • Artem Kurov worked as a coder with development duties in the Trickbot group. Artem Kurov is also known by the online moniker Naned.
  • Mikhail Chernov was part of the internal utilities group for Trickbot and is also known by the online moniker Bullet.
  • Alexander Mozhaev was part of the admin team responsible for general administrative duties and is also known by the online monikers Green and Rocco.
Security Officer Comments:
TrickBot is a popular Windows based banking Trojan that has been active since around October 2016. The malware has evolved over time to include new features, including powerful password-stealing capabilities.

TrickBot has partnered with various ransomware groups, most notably Ryuk ransomware. Ransomware groups will commonly partner with malware groups to help with initial access. With Ryuk going quiet, the group has since turned to the Conti ransomware gang, who has been using TrickBot almost exclusively for initial access to organizations worldwide.

The investigation conducted by the UK National Crime Agency (NCA) revealed that the group extorted at least $180 million from victims globally, and at least £27 million from 149 UK victims. The ransomware operation also targeted UK hospitals, schools, local authorities and businesses. “These cyber criminals thrive off anonymity, moving in the shadows of the internet to cause maximum damage and extort money from their victims.” UK Foreign Secretary James Cleverly said. “Our sanctions show they cannot act with impunity. We know who they are and what they are doing.

By exposing the actors identities, the government entities hope to disrupt the groups business models, which will make it harder for them to target people, businesses, and institutions.

Suggested Correction(s):
  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately