A federal grand jury in the Northern District of Ohio returned an indictment charging nine people, all Russian nationals, with conspiring to use the Trickbot malware to steal money and personal and confidential information from victims, including schools, businesses, banks and other entities in the U.S. and around the world, beginning in November 2015.
The case was filed in federal court in Youngstown because there are local victims, including a public school district in Avon and a real estate firm in North Canton, according to the indictment. A public school district in Akron whose computer systems were also infected is also listed as a cooperating witness in the case.
Prosecutors allege the group wired or attempted to wire more than $1.1 million from the Avon school district and nearly $770,000 from the real estate firm. The infections happened between October 2017 and May 2019, according to the indictment.
The defendants are:
- Maksim Galochkin, aka Bentley
- Maksim Rudenskiy, aka Buza
- Mikhail Mikhailovich Tsarev, aka Mango
- Andrey Yuryevich Zhuykov, aka Defender
- Dmitry Putilin, aka Grad and Staff
- Sergey Loguntsov, aka Begemot
- Zulas; Max Mikhaylov, aka Baget
- Valentin Karyagin, aka Globus
- Maksim Khaliullin, aka Maxfax, Maxhax and Kagas
Businesses and other entities were targeted using “spoof” websites and “Trickbots,” according to the indictment.
“The Justice Department has taken action against individuals we allege developed and deployed a dangerous malware scheme used in cyberattacks on American school districts, local governments, and financial institutions,” said Attorney General Merrick B. Garland. “Separately, we have also taken action against individuals we allege are behind one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services.”
Trickbot malware was taken down in 2022, but while active, it acted as an initial pathway into victim computer systems, and was used to support various ransomware variants, including “Conti.”
“Conti” was a ransomware variant used to attack more than 900 victims worldwide, including victims in approximately 47 states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries.
According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant.
Indictments were also filed in the Middle District of Tennessee and the Southern District of California.