Conti member indicted for role in 2021 Scripps Health ransomware attack

On September 7, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with the United Kingdom, sanctioned 11 individuals who are alleged to be part of the Russia-based Trickbot cybercrime group. At the same time, the U.S. Department of Justice (DOJ)  unsealed indictments against nine individuals in connection with the Trickbot malware and Conti ransomware schemes, including seven of the 11 individuals designated that day.

One of those individuals was Maksim Galochkin. As described by the government in its press announcement, Galochkin, who was also known by the online monikers “Bentley,” “Crypt,” and “Volhvb,” led a group of testers with responsibilities for development, supervision, and implementation of tests. The National Crime Agency also lists “Max17” as one of his monikers.

Additional information on him, provided by OFAC, includes that he is male, was born May 19,1982, and is a Russian national. Email Address: [email protected]; alt. Email Address [email protected]; alt. Email Address [email protected]; alt. Email Address [email protected]; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201 (individual) [CYBER2].

Additional context and background on Galochkin can be found in a fascinating piece by Matt Burgess and Lily Hay Newman of Wired. Their ability to unmask Galochkin was greatly enabled by research by NISOS.

Criminal Charges

Galochkin was originally charged in a sealed indictment filed in June 2023. The now-unsealed indictment charges that he and co-conspirators were responsible for accessing and damaging the computers of more than 900 victims worldwide. One of those victims was Scripps Health in the Southern District of California which was attacked in May 2021.

Story continues below the break.

Previous coverage of the Scripps Health ransomware incident can be found on DataBreaches at:

The three counts of Galochkin’s indictment charge:

  • Unauthorized access to a protected computer in violation of Title 18, United States Code, Sections 1030 (a) (2) (C), (c) (2) (B), and 2;
  • Damage to a protected computer by transmission of Conti malware, in violation of Title 18, United States Code, Sections 1030 (a) (5) (A), (c) ( 4 ) (B), and 2. “The offense caused loss resulting from a related course of conduct affecting one or more protected computers aggregating at least $5,000 in value, the modification and impairment of the medical examination, diagnosis, treatment, and care of one or more individuals, a threat to public health and safety, and damage affecting 10 or more protected computers during a one-year period; and
  • Threatening to damage a protected computer by aiding and abetting the transmission of a ransom note, in violation Title 18, United States Code, Sections 1030 (a) (7) (C), (c)(3)(A), and 2.

Galochkin has been indicted but is not has not been caught or arrested at this point.

About the author: Dissent

Comments are closed.