10 February 2023

5 min read

UK and US sanction Russian ransomware gang members | Cyber Intelligence Briefing: 10 February

February 2023
UK and US sanction Russian ransomware gang members | Cyber Intelligence Briefing: 10 February placeholder thumbnail


Top news stories this week

  1. Ransomware crackdown. UK and US sanction seven individuals connected to Trickbot banking trojan and Conti ransomware.
  2. Round two. ESXiArg ransomware wave continues to hit VMware hypervisor servers.
  3. Fess up! France to require victims to report cyber attacks for insurance coverage.
  4. I spy. Russian ISP data leak exposes Russian government surveillance of citizens.
  5. Checkmate. PeopleConnect confirms data breach affecting millions of customers.  
  6. Stocks slide. British manufacturing firm reveals financial impact of cyber attack.


1. UK and US sanction Russian ransomware gang members

Asset freezes and travel bans have been imposed on seven members of the criminal network responsible for the Trickbot banking trojan and the Conti and Ryuk ransomware strains. The Office of Foreign Assets Control’s announcement stated that members of the Trickbot group are “associated with” Russian Intelligence Services, while the UK government’s press release publicly linked the developers to Conti and Ryuk. This is the first formal attribution from an official western government body.

So what?

The sanctions will make it illegal to make payments to the seven individuals. However, UK officials have clarified that there is no intention to penalise victims who are “forced to make a payment in the face of an existential threat”.



2. ESXiArgs ransomware continues to target VMware servers 

Last Friday, attackers began actively exploiting a two-year-old vulnerability in unpatched VMware ESXi servers to deploy a ransomware strain known as ESXiArgs. CISA and the FBI have released a decryption script for the first wave of attacks. The threat actor has released an updated version of the encryption tool which is making recovery impossible in some cases.

Separately, the Royal Ransomware group has developed a variant that primarily affects VMware ESXi virtual machines. This matches a growing trend of threat actors developing ransomware strains targeting Linux devices.

So what?

Organisations that use VMware ESXi services should ensure that port 427 is not exposed to the internet and that the latest updates have been installed. If you have been infected with the ESXiArgs ransomware, follow the recovery script and instructions provided by CISA.




3. France: cyber attacks must be reported for insurance coverage

From April 2023, an update to the French Insurance Code will require victims to report cyber attacks to “competent authorities” within 72 hours to claim insurance. The deadline will be set from the moment the victim becomes aware of the breach.

So what?

It is crucial to stay up to date with changes in regulations that impose additional obligations in case of suffering a cyber attack.



4. Hacktivists uncover widespread surveillance by Russian government 

Hacktivist group CAXXII has released 128GB of data stolen from Convex, a popular Russian internet service provider, which it claims prove widespread Russian government surveillance. CAXXII, who are affiliated with Anonymous, has accused Convex of running a project named Green Atom to monitor the internet and phone activities of Russian individuals and private companies.

So what?

When working with companies associated with autocratic regimes, assume that your data may be subjected to surveillance. Think carefully about what data is shared in these situations.




Cyber Security Insights Report


5. PeopleConnect data breach

The subscription-based background checking platforms TruthFinder and Instant Checkmate, both owned by PeopleConnect, were the victim of a data breach affecting over 20 million customers. Sensitive data from a backup database from 2019, including customer names, contact numbers, and encrypted passwords has been leaked on a hacking forum.

So what?

Organisations that suffer a data breach where account information is disclosed should be wary of targeted phishing attacks. Employees should receive phishing awareness training to ensure they can identify such attacks.



6. Share price plummets after cyber attack

British engineering firm Morgan Advanced Materials, which suffered a cyber attack last month, disclosed that it expected the attack would cost up to GBP 12 million. Following the announcement, the company’s share price dropped by five percent.

So what?

The financial impact of a cyber security incident can extend beyond recovery fees when reputational concerns are felt by customers/the public. Having a cyber security risk management plan is an important factor in identifying and mitigating reputational risks associated with a cyber attack.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.