US-UK Sanction Conti-Trickbot Ransomware Gang Members


September 7, 2023

World map

The U.S. and U.K. announced sanctions against eleven suspected members of the Russia-based Conti-Trickbot cybercrime group. Russia has long been a safe haven for cybercriminals, including the Trickbot gang.  

The Conti-Trickbot gang is assessed to have direct ties to Russian intelligence services and has extensively targeted private companies and critical infrastructure sectors including healthcare providers.

“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian E. Nelson.  

“In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”

Takeaway: The announcement that the US and UK governments are sanctioning additional members of the Conti-Trickbot Ransomware Gang is welcome news. We hope to see more such actions taken to help stem this ransomware epidemic.

But will these actions diminish the threat from ransomware attacks? No, not at all. Not even a little bit.

"While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had very little impact in regard to disrupting ransomware operations," Jon Miller, CEO and co-founder of Halcyon told the CyberNews.

That’s because the one thing the most notorious ransomware gangs have in common is their ties to Russia and the Putin regime. We know that groups like Conti are closely aligned - if not directly controlled to a degree – by the Russian government and its intelligence apparatus.

This weird overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model – which conveniently allows for plausible deniability for Russia - means we have elements acting that are not necessarily under the direct control of a government but are closely aligned.

"The Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies," Miller explained.

Using ransomware gangs like Conti as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.

The US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

Though these actions against the Conti-Trickbot members are necessary, Miller says, "even if they are arrested, there will quickly be someone to take their place.”

Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely even influencing some of their targeting.

Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target, and by then it will be too late to act. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.