The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned

Posted By on Sep 13, 2023

The indictments of multiple members of the TrickBot/Conti Ransomware groups have recently been unsealed and 11 members of these cybercriminal operations have been sanctioned by the United States and the United Kingdom.

A federal grand Jury in the Southern District of California indicted and charged Russian national, Maksim Galochkin, his role in a cyberattack on Scripps Health in May 2021. Galochkin and his co-conspirators are alleged to have conducted more than 900 attacks worldwide using Conti ransomware, including the attack on Scripps Health. A federal grand jury in the Northern District of Ohio indicted Galochkin and co-conspirators Maksim Rudenskiy, Mikhail Mikhailovich Tsarev, Andrey Yuryevich Zhuykov, Dmitry Putilin, Sergey Loguntsov, Max Mikhaylov, Valentin Karyagin, and Maksim Khaliullin, over the use of TrickBot malware to steal funds and confidential information from businesses and financial institutions in the United States since 2015. A federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin and co-conspirators Rudenskiy, Tsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments in the United States from 2020 until June 2022 when the Conti operation was disbanded.

Galochkin was also one of 11 individuals recently sanctioned by the U.S. Department of Justice, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the United Kingdom for being part of the Russian TrickBot cybercrime group. TrickBot was first identified in 2016 and started life as a banking Trojan. The malware was developed from the Dyre Trojan and was used to attack and steal money from non-Russian businesses. The modular malware evolved over the years and new capabilities were added which allowed the TrickBot gang to conduct a range of malicious activities, including ransomware attacks. The group is believed to have extorted more than $180 million from victims around the world and conducted many attacks on hospitals and other healthcare providers in the United States. While the TrickBot gang is a cybercriminal group, members of the group are associated with the Russian intelligence services and have conducted attacks on the U.S. government and other U.S. targets in line with the objectives of the Russian intelligence services.

The 11 sanctioned individuals materially assisted with TrickBot operations and include administrators, managers, developers, and coders. Galochkin (aka Bentley, Crypt, Volhvb) is alleged to have led a group of testers and had responsibilities for the development, supervision, and implementation of tests. The other 10 sanctioned individuals are senior administrator Andrey Zhuykov (aka Dif, Defender); lead coder Maksim Rudenskiy; human resources and finance manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (aka grad, staff); HR manager Maksim Khaliullin (aka Kagas);  TrickBot developer Sergey Loguntsov; internal utilities group member Mikhail Chernov (aka Bullet); admin team member Alexander Mozhaev (aka Green and Rocco); and coders Vadym Valiakhmetov (aka Weldon, Mentos, Vasm) and Artem Kurov (aka Naned).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

18 members of the TrickBot operation have now been sanctioned with the latest 11 adding to the 7 members sanctioned by the United States and United Kingdom in February this year. The addition of these individuals to OFAC’s sanctions list means all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. All dealings with these individuals by U.S. persons are prohibited, including paying ransoms. Individuals who engage in transactions with sanctioned individuals may themselves be exposed to OFAC designation and any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the sanctioned individuals could be subject to U.S. correspondent or payable-through account sanctions.

All of the indicted and sanctioned individuals remain at large. That is likely to remain the case as they are believed to reside in Russia where there is no extradition treaty with the United States.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist