Russian National Linked to Conti and TrickBot Ransomware Operations Identified in Global Crackdown
Germany’s Federal Criminal Police Office (BKA) has accused Russian national Vitaly Nikolaevich Kovalev—also known by the alias Stern—of leading the Conti and TrickBot (Wizard Spider) ransomware operations, following a wave of disruptions under Operation Endgame, an international law enforcement initiative targeting cybercrime.
Investigations by the BKA revealed that Kovalev played a senior role in TrickBot, Ryuk, and Conti, with the TrickBot group at one point comprising over 100 members operating in a structured, profit-driven hierarchy. The exposure of TrickLeaks and ContiLeaks data earlier accelerated the dismantling of Conti, while authorities now seek information to aid in Kovalev’s arrest. He is believed to be residing in Russia, complicating extradition efforts.
This development follows U.S. sanctions imposed on Kovalev over two years ago for his involvement in the same ransomware networks. The case underscores the ongoing challenges in prosecuting high-level cybercriminals operating from jurisdictions with limited cooperation.
Source: https://www.scworld.com/brief/conti-trickbot-cybercrime-group-leader-unmasked
Ryuk Labs cybersecurity rating report: https://www.rankiteo.com/company/ryuk-labs
BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer
Continental Engineering Services cybersecurity rating report: https://www.rankiteo.com/company/conti-engineering
"id": "RYUBLECON1766104409",
"linkid": "ryuk-labs, bleepingcomputer, conti-engineering",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'description': "Germany's Federal Criminal Police Office (BKA) has accused "
'Russian national Vitaly Nikolaevich Kovalev of leading the '
'Conti and TrickBot (Wizard Spider) ransomware operations as '
'part of Operation Endgame. Kovalev, also known as Stern, was '
'revealed to have led TrickBot, Ryuk, and Conti operations '
'following the exposure of TrickLeaks and ContiLeaks data, '
'accelerating the takedown of Conti. The BKA stated that the '
'TrickBot group was highly organized with over 100 members and '
'was project- and profit-oriented. Kovalev is believed to be '
'in Russia and is sought for arrest.',
'investigation_status': 'Ongoing (Operation Endgame)',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'ransomware_strain': ['Conti', 'TrickBot', 'Ryuk']},
'references': [{'source': 'BleepingComputer'}],
'regulatory_compliance': {'legal_actions': 'U.S. sanctions imposed on '
'Kovalev'},
'response': {'law_enforcement_notified': 'Yes (BKA, U.S. sanctions)'},
'threat_actor': 'Vitaly Nikolaevich Kovalev (Stern), Wizard Spider (TrickBot '
'Group)',
'title': 'Operation Endgame: Russian National Vitaly Kovalev Accused of '
'Leading Conti and TrickBot Ransomware Operations',
'type': 'Ransomware'}