The British and American authorities are continuing their “name and shame” strategy targeting cybercriminals and revealed, on Thursday September 7, a list of eleven people suspected of participating in one of the largest cybercriminal groups Russians of recent years, often called Trickbot or Conti, from the name of the operations which made it famous.

This group, which probably operates largely from Russian territory where it has even been suspected of renting physical offices, has become in a few years a real piracy SME. He is mainly known for two operations. The first, Trickbot, was initially a banking Trojan, that is to say a tool used to infect computers and steal banking credentials then used or resold on the black market. Subsequently, Trickbot became a veritable toolkit used to infect a large number of computers and possibly install other malware on them. In less than ten years, Trickbot has established itself as a major threat.

More recent, Conti is the name of ransomware used to encrypt the files of one or more computers on a computer network in order to render the machines unusable. A ransom is then demanded from the victims, who must pay to obtain the decryption key and recover their data. Until 2022, the group was one of the most active and effective in the small ransomware sector: it is notably known for a major attack against the Irish health service in 2021.

A major data leak

This small cybercrime company suffered a hard blow at the start of the war in Ukraine with the disclosure by an undercover researcher of tens of thousands of lines of internal conversations between some of its members. The “Conti Leaks” revealed the daily workings of this group of hackers, all identified by pseudonyms.

On Thursday, the British and American authorities came to put names and first names to these aliases, announcing sanctions and bans on entering the territory for eleven people suspected of participation in the activities of Conti or Trickbot. Among them, we find in particular “Buza”, identified as Maksim Rudenskiy and suspected of being one of the heads of the technical team of the Trickbot network. “Mango”, believed to actually be called Mikhail Tsarev, was also widely present in the “Conti Leaks”. He allegedly operated the human resources activities of the cybercriminal group. According to the United Kingdom authorities, Andrey Zhuykov, known among others by the pseudonyms “Defender” and “Adam”, was “a central player in the group and [a] high-ranking administrator”.

The British government statement also claims the group “maintained links to and received instructions from Russian intelligence services.” Already in 2022, in certain conversations present in Conti Leaks, one of its members explained having been approached by the Russian authorities, who had asked him for help in spying on an investigative journalist working on the opponent Alexei Navalny.

For their part, the American judicial authorities have published three indictments targeting the alleged operators of Conti and Trickbot, in line with the deterrence strategy put in place by the United States. Knowing that these cybercriminals, who often operate behind Russian borders, are rarely arrested, the American authorities very regularly publish indictments in order to put pressure on Russia, accused of turning a blind eye to their activities. At the same time, they show those responsible for ransomware attacks that they can be identified and directly targeted by justice.