Russia: cybercrime and co-ordinated sanctions action

On February 9, seven individuals of the Russian cybercrime group Trickbot were added to the consolidated list under The Cyber (Sanctions) (EU Exit) Regulations 2020.

Trickbot was one of the first cybercrime groups to back Russia's war in Ukraine, according to the National Crime Agency (NCA). The individuals, who are all Russian, have been sanctioned for their involvement in cyberactivity “intended to undermine the integrity of the UK and other countries, or cause economic loss/prejudice to commercial interests’’.

Trickbot's malicious software has been considered one of the internet’s biggest security threats, capable of stealing financial data, moving across networks and planting ransom software. The US Treasury had accused Trickbot of launching ransomware attacks on US hospitals at the height of the coronavirus pandemic in 2020.

The NCA has said that the action against Trickbot individuals was the first sanctions deployment of its kind against cybercriminals and represented the first stage of new coordinated UK-US action against such groups. Both countries have imposed the sanctions.

Although Trickbot's malicious software hasn't been used in two years, the individuals behind it are reportedly still active and collaborating. Some cybercrime experts have argued that Trickbot's activities may have been taken over by another ransomware group, called Conti. Both Trickbot and Conti have been accused by the UK and US of being linked to the Russian intelligence services.

This is the first time that the UK has imposed cybercrime sanctions on ransomware suspects. The action comes just as the UK’s Office of Financial Sanctions Implementation (OFSI) published its guidance on ransomware and sanctions guidance.

Taken together, these two factors indicate an increased determination to identify and sanction those believed to be perpetrating cybercrime. They also highlight the increased international cooperation between enforcement authorities when it comes to ransomware crimes and those who carry them out. The action against the Trickbot individuals came just two weeks after German, Dutch and US authorities worked together to penetrate and shut down another ransomware group called Hive that had targeted schools and hospitals.

While sanctions can limit people's ability to travel internationally, they cannot help with their arrest if they are in a country that permits them to operate and remain there. Therefore, the sanctions against the Trickbot individuals are unlikely to prevent them from laundering the proceeds of their crimes. There is also little prospect of them stopping their criminal activity. They may go ‘underground’ for a while to avoid any immediate attention. But they can be expected to re-emerge later to carry on their activities, although this may be done under a new identity.

Because of these factors, sanctions may convince some criminals to leave the group that is the subject of the sanctions, but they won't be able to significantly lessen the threat or allure of ransomware on their own. As the sanctions were imposed only on individuals, not the group, it would be difficult to determine if any one of them would receive a cut of a ransom.

This also means that ransomware victims could, in theory, still pay a ransom to the group without breaching any regulations, as long as they do not transact with sanctioned persons. Although the UK Treasury has previously warned that paying ransoms may fall foul of sanctions, it is reportedly keen to avoid potentially ‘re-victimising’ hacking targets by making ransomware payments illegal.

It is significant that Russia already appears to have reacted to this joint US-UK action. The Russian government reportedly wants to decriminalise hacking and is exploring the idea of absolving Russian hackers of criminal liability wherever they are based, providing the hacking is carried out in the interests of the Russian state.

Angelika Hellweger is legal director at Rahman Ravelli rahmanravelli.co.uk