For years, Russia-based ransomware gangs have launched crippling attacks against businesses, hospitals, and public sector bodies, extorting hundreds of millions of dollars from victims and causing untold disruption. And they’ve done so with impunity—but no more. Today, as part of a push to shut down ransomware gangs, the UK and US governments have unmasked some of the criminals behind the attacks. 

In a rare move, officials have sanctioned seven alleged members of notorious ransomware gangs and published their real-world names, dates of birth, email addresses, and photos. All seven of the named cybercriminals are said to belong to the Conti and Trickbot ransomware groups, which are linked and often jointly referred to as Wizard Spider. Moreover, the UK and US are now explicitly calling out links between Conti and Trickbot and Russia’s intelligence services.

“By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” UK foreign secretary James Cleverly said in a statement on Thursday. “These cynical cyberattacks cause real damage to people’s lives and livelihoods.”

The seven gang members named by the two governments are: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. All the members have online handles, such as Baget and Tropa, that they used to communicate with each other without using their real-world identities.

On Thursday, the UK’s National Cyber Security Center (NCSC) said it is “highly likely” that members of the Conti group have links to “the Russian Intelligence Services” and that those agencies have “likely” directed some of the gang’s actions. NCSC is part of the UK intelligence agency GCHQ, and this is the first time the UK has sanctioned ransomware criminals.

Similarly, the US Department of the Treasury has concluded that Trickbot Group members are “associated with Russian Intelligence Services.” It added that the group’s actions in 2020 were aligned with Russia’s international interests and “targeting previously conducted by Russian Intelligence Services.”

According to the US Treasury, these members were involved in malware and ransomware development, money laundering, fraud, injection of malicious code into websites to steal login details, and managerial roles. As part of the sanctions, the UK froze assets belonging to the ransomware actors and imposed travel bans on them. The US District Court for the District of New Jersey also unsealed an indictment charging Vitaliy Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud against US financial institutions in 2009 and 2010.

Governments have struggled to get a handle on the growing ransomware threat, in large part because many of the criminal groups operate in Russia. The Kremlin has provided a safe haven for these bad actors—as long as they don’t target Russian companies. Last year, following a string of particularly aggressive and disruptive attacks on US and UK targets, Russian law enforcement did arrest more than a dozen alleged members of the notorious ransomware gang REvil. But Russia has continued to be the origin point for an array of cybercriminal activity, including ransomware attacks.

Alex Holden, the founder of security firm Hold Security, has tracked the Conti and Trickbot groups for the better part of a decade, mapping out their members and activities. Holden says that “unmasking” the criminals can make a difference to their actions. “Ransomware gang members should be afraid of their real names being made public, as they will be forced to run and hide even if they can’t be brought to justice in our legal system,” he says.  

The unmasking of Conti and Trickbot members follows two huge leaks from the criminal gangs in early 2022. After Vladimir Putin’s full-scale invasion of Ukraine in February 2022, members of the Conti gang declared their support for Russia. A Ukrainian cybersecurity researcher who had infiltrated the group reacted by leaking more than 60,000 of its internal chat messages, revealing key details about members and their hacking activities. This was followed by a second leak from Trickbot, weeks later. It is likely that these details have helped law enforcement agencies track down and identify members of the gangs.

Researchers have long concluded that cybercriminals working in Russia have amorphous but crucial connections to the Kremlin, but there has been little clear information, and officials have often been vague about the dynamic. 

Kimberly Goody, a senior manager in cybercrime analysis at the Google-owned security company Mandiant, says details from the leaked chatlogs in early 2022 are consistent with the US and UK linking some elements of the groups to Russian intelligence services. 

The Conti chatlog leak also revealed some potential links between Conti members and the Russian state. The logs show Conti members working on “government topics” for their hacking and illustrate their knowledge of the prominent Kremlin-sponsored hacking group Cozy Bear. Members of Conti also discussed whether they could hack someone linked to open source investigative journalism unit Bellingcat.

The cybercrime group was “inarguably not flying below the radar,” Goody says. “Russia knew about it, and they [Russia] have a history of tapping into their community of cyber criminals when it suits them—we saw that with the Dridex sanctions too.” Goody adds that the leaked chats show that other Trickbot members, who were not named in the most recent sanctions, may also have received instructions from people outside Trickbot.

In the summer of 2022, Google’s Threat Analysis Group and IBM’s X-Force both said Trickbot and Conti had shifted focus to attack Ukraine, a move that clearly appeared aligned with Russian interests. The IBM security researchers said they had not seen the group previously targeting Ukraine and called it an “unprecedented shift.”

Over the past decade, governments have increasingly called out state-backed hacking efforts from Russia, China, and other nations, occasionally even revealing the identities of individual government hackers. But researchers say that the focus on naming individual cybercriminals represents an important shift. “We’re now seeing these methods increasingly used with ransomware actors, reflecting the growing priority of cybercrime on national security agendas,” says Jamie Collier, a senior threat intelligence advisor at Mandiant.

But the long-term impact of unmasking ransomware groups is unclear. While the Conti group, for example, disbanded in June 2022 after hacking the government of Costa Rica, its members are thought to have continued their criminal activities, seemingly joining the Quantum, Royal, and Black Basta ransomware groups. But for victims who have faced the disruption and financial devastation of cybercrime, aggressive new action from world governments can’t come soon enough.