UK cracks down on ransomware actors – GOV.UK

We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government services.
We also use cookies set by other sites to help us deliver content from their services.
You can change your cookie settings at any time.
Departments, agencies and public bodies
News stories, speeches, letters and notices
Detailed guidance, regulations and rules
Reports, analysis and official statistics
Consultations and strategy
Data, Freedom of Information releases and corporate reports
The UK has sanctioned 7 Russian cyber criminals through coordinated actions with the US government.
Seven Russian cyber criminals have today (Thursday 9 February) been sanctioned by the UK and US in the first wave of new coordinated action against international cyber crime. These individuals have been associated with the development or deployment of a range of ransomware strains which have targeted the UK and US.
Foreign Secretary James Cleverly said:
By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.
These cynical cyber attacks cause real damage to people’s lives and livelihoods. We will always put our national security first by protecting the UK and our allies from serious organised crime – whatever its form and wherever it originates.
Ransomware criminals specifically target the systems of organisations they judge will pay them the most money and time their attacks to cause maximum damage, including targeting hospitals in the middle of the pandemic.
Ransomware groups known as Conti, Wizard Spider, UNC1878, Gold Blackburn, Trickman and Trickbot have been responsible for the development and deployment of: Trickbot, Anchor, BazarLoader, BazarBackdoor as well as the ransomware strains Conti and Diavol. They are also involved in the deployment of Ryuk ransomware.
The ransomware strains known as Conti and Ryuk affected 149 UK individuals and businesses. The ransomware was responsible for extricating at least an estimated £27 million. There were 104 UK victims of the Conti strain who paid approximately £10 million and 45 victims of the Ryuk strain who paid approximately £17 million.
Conti was behind attacks that targeted hospitals, schools, businesses and local authorities, including the Scottish Environment Protection Agency.  The group behind Conti extorted $180 million in ransomware in 2021 alone, according to research from Chainalysis.
Conti was one of the first cyber crime groups to back Russia’s war in Ukraine, voicing their support for the Kremlin within 24 hours of the invasion.
Although the ransomware group responsible for Conti disbanded in May 2022, reporting suggests members of the group continue to be involved in some of the most notorious new ransomware strains that dominate and threaten UK security.
Security Minister Tom Tugendhat said:
We’re targeting cyber criminals who have been involved in some of the most prolific and damaging forms of ransomware. Ransomware criminals have hit hospitals and schools, hurt many and disrupted lives, at great expense to the taxpayer.
Cyber crime knows no boundaries and threatens our national security. These sanctions identify and expose those responsible.
A wide range of organisations have been targeted by ransomware criminals, including at least 10 schools and universities in the UK, as well as hospitals, a forensic laboratory and local authorities. The Government of Costa Rica was also targeted last year.
Ireland’s Health Service Executive were targeted by ransomware actors during the COVID pandemic, leading to disruption to blood tests, x-rays, CT scans, radiotherapy and chemotherapy appointments over 10 days.
Another recent ransomware attack included a transportation and cold storage firm, whose IT systems were under attack for nearly a week in 2021.
These sanctions follow a complex, large-scale and ongoing investigation led by the NCA, which will continue to pursue all investigative lines of enquiry to disrupt the ransomware threat to the UK in collaboration with partners.
National Crime Agency Director-General Graeme Biggar said:
This is a hugely significant moment for the UK and our collaborative efforts with the US to disrupt international cyber criminals.
The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies. They show that these criminals and those that support them are not immune to UK action, and this is just one tool we will use to crack down on this threat and protect the public.
This is an excellent example of the dedication and expertise of the NCA team who have worked closely with partners on this complex investigation. We will continue to deploy our unique capabilities to expose cyber criminals and work alongside our international partners to hold those responsible to account, wherever they are in the world.
UK and US authorities will continue to expose these cyber criminals and crack down on their activities. This announcement of sanctions against 7 individuals marks the start of a campaign of coordinated action against ransomware actors being led by the UK and US.
The National Cyber Security Centre (NCSC), a part of GCHQ, has assessed that:
NCSC Chief Executive Officer Lindy Cameron said:
Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be.
The NCSC is working with partners to bear down on ransomware attacks and those responsible, helping to prevent incidents and improve our collective resilience.
It is vital organisations take immediate steps to limit their risk by following the NCSC’s advice on how to put robust defences in place to protect their networks.
Victims of ransomware attacks should use the UK government’s Cyber Incident Signposting Site as soon as possible after an attack.
Today, the UK’s Office of Financial Sanctions Implementation (OFSI) are also publishing new public guidance which sets out the implications of these new sanctions in ransomware cases.
The individuals designated today are:
Making funds available to the individuals such as paying ransomware, including in crypto assets, is prohibited under these sanctions. Organisations should have or should put in place robust cyber security and incident management systems in place to prevent and manage serious cyber incidents.
Read further guidance on UK sanctions relating to cyber activity and view the full UK Sanctions List.
Media enquiries
Telephone 020 7008 3100
Contact the FCDO Communication Team via email (monitored 24 hours a day) in the first instance, and we will respond as soon as possible.
Sharing will open the page in a new tab
Don’t include personal or financial information like your National Insurance number or credit card details.
To help us improve GOV.UK, we’d like to know more about your visit today. We’ll send you a link to a feedback form. It will take only 2 minutes to fill in. Don’t worry we won’t send you spam or share your email address with anyone.