DOJ charges foreign nationals over malware schemes

The U.S. Department of Justice announced on Thursday indictments against nine foreign nationals for their involvement in Trickbot malware and Conti ransomware operations that successfully extorted over $100 million from U.S. hospitals.  

“Today’s announcement shows our ongoing commitment to bringing the most heinous cyber criminals to justice – those who have devoted themselves to inflicting harm on the American public, our hospitals, schools, and businesses,” said FBI Director Christopher Wray in the release.  

“Cyber criminals know that we will use every lawful tool at our disposal to identify them, tirelessly pursue them, and disrupt their criminal activity. We, alongside our federal and international partners, will continue to impose costs through joint operations no matter where these criminals may attempt to hide.” 

An indictment has been returned by a federal grand jury in Ohio’s Northern District against the following individuals: Maksim Galochkin (aka Bentley), Maksim Rudenskiy ( aka Buza), Mikhail Mikhailovich Tsarev ( aka Mango), Andrey Yuryevich Zhuykov ( aka Defender), Dmitry Putilin ( aka Grad and Staff), Sergey Loguntsov ( aka Begemot and Zulas), Max Mikhaylov ( aka Baget), Valentin Karyagin (aka Globus), Maksim Khaliullin (aka Maxfax, Maxhax, and Kagas). 

These individuals have been charged with using Trickbot malware to steal money and obtain personal and confidential data from unsuspecting victims worldwide since 2015. 

A federal grand jury in the Middle District of Tennessee has returned an indictment against Galochkin, Rudenskiy, Tsarev, and Zhuykov, accusing them of conspiring to deploy Conti ransomware in attacks against businesses, nonprofits, and governmental bodies in the U.S. from 2020 through June 2022, including an attack on medical emergency services.  

In a separate case, the Southern District of California’s federal grand jury indicted Galochkin in relation to the Conti ransomware assault on Scripps Health that transpired on May 1, 2021. 

Trickbot crackdown 

First identified in 2016, Trickbot is a collection of malware tools designed to steal money from unsuspecting victims. One of its strains, a ransomware known as Conti, has been associated with over 900 cyberattacks worldwide, including 300 in the U.S.  

One of the most notorious Conti attacks hit Scripps Health in San Diego. Their network was down for over four weeks, over 1.2 million patient records were exposed, and Scripps had to pay more than $3.5 million to the victims of the data breach in addition to suffering the financial losses associated with their month-long attack.  

Research later published in JAMA Network studied the attack and its effect on neighboring hospitals, concluding that a cyberattack on one hospital or health system can have a rippling effect on healthcare systems in the area. The influx of patients to neighboring institutions leads to increased wait times for emergency services and hampers patient care.  

The Treasury Department also imposed sanctions on the hackers, who are still at large, in an attempt to restrict their access to the dollar.  

“The Justice Department has taken action against individuals we allege developed and deployed a dangerous malware scheme used in cyberattacks on American school districts, local governments, and financial institutions,” said Attorney General Merrick B. Garland. 

“Separately, we have also taken action against individuals we allege are behind one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services. These actions should serve as a warning to cybercriminals who target America’s critical infrastructure that they cannot hide from the United States Department of Justice.”