The US Justice Department on Thursday announced indictments against nine men for working for a notorious cybercriminal network with alleged ties to Russian intelligence and which held US hospitals for ransom and reaped over $100 million in payments.
It’s the culmination of a years-long FBI investigation into a ransomware gang that pledged allegiance to Russia as it launched its assault on Ukraine last year, and whose members have allegedly discussed hacking a journalist investigating the poisoning of Kremlin critic Alexey Navalny.
The nine men – eight Russians and a Ukrainian, according to the charging documents – remain at large, but US officials are hoping a multimillion-dollar rewards program run by the State Department can lead to tips on the men’s whereabouts if and when they leave Russia.
“The offer has been proven to be highly valuable to us and our operations against cybercriminals,” a senior FBI official told CNN.
The Treasury Department also slapped sanctions on the men, cutting off their access to the dollar.
It’s the latest move in an aggressive campaign by the US and its allies in the last two years to disrupt ransomware gangs in Russia and Eastern Europe that have knocked schools and health care providers offline.
Without any cooperation from the Russian government in rounding up alleged cybercriminals, the US Justice Department has relied on publicly exposing the hackers’ tactics, seizing their computer infrastructure if it is hosted by Western tech firms, and hoping that the hackers go on vacation to a country willing to extradite them to the US.
Despite the long odds of arrest, the US has multiple accused Russian hackers in custody, including a 42-year-old man whom a US judge sentenced to nine years in prison on Thursday for his alleged role in a $93 million securities trading scheme.
US officials have considered alleged Russian hackers in US custody as potential candidates in prisoner swap negotiations for Americans detained in Russia.
The nine men whose indictments were unsealed Thursday allegedly used two types of hacking tools affiliated with Russian-speaking cybercriminals: one, known as TrickBot, to initially hack victims, and another, known as Conti, to lock up their computers and demand exorbitant payments. (People affiliated with TrickBot and Conti have overlapped, and US officials sometimes refer to them as a singular gang.)
The Conti ransomware has been used on hundreds of organizations worldwide, including almost 300 in the US, according to the senior FBI official. That includes a sheriff’s department and an emergency medical service in Tennessee, according to the indictments unsealed Thursday.
Conti operatives have racked up $180 million in ransom payments, according to UK officials, who also announced sanctions on some of the alleged cybercriminals on Thursday.
The Conti gang garnered international headlines in February 2022, when it pledged its “full support” for the Russian government as it attacked Ukraine. A Ukrainian cybersecurity researcher retaliated by leaking thousands of internal documents on the group, including evidence that appears to suggest Conti operatives have contacts within the Russian government.
The Ukrainian researcher told CNN at the time that an FBI agent contacted him to tell him to stop leaking the information. Exposing Conti infrastructure could have, in theory, made it more difficult for the FBI to track the group because it might set up new computer systems. The FBI has declined to comment on any interaction with the researcher.
The Conti code hasn’t been used in recent ransomware attacks, but that doesn’t mean the hackers have been quiet. “Conti went away, but the actors didn’t necessarily,” the senior FBI official conceded.
The FBI official declined to comment on the current whereabouts of the nine newly indicted men, or how the FBI tracks them. “This is ongoing. We’re not done with it yet.”
