On the stark winter day of 8 February 2020, an innocuous email arrived. It was disguised and deceptive. This email ignited a digital firestorm against Redcar & Cleveland Borough Council. They are a local authority serving over 130,000 residents in North Yorkshire. Within moments, IT systems froze. Phone lines collapsed. Websites vanished. Council staff reverted to the pen-and-paper age. They scrambled to serve their community, armed only with notebooks and mobile phones.
The virus had been lurking in the network. It was dormant and sinister. Then it struck and ravaged. It crippled social care systems, billing functions, housing applications, and even bin collections. Essential services evaporated overnight. Staff faced punishing queues just to get through on the phone, while desperate residents waited—sometimes in vain—for support.
Central government help arrived—but only after a painful delay. The council’s leader, Mary Lanigan, recalled how police and cybercrime teams showed up within 48 hours. Nevertheless, meaningful support “from Westminster” didn’t come for about a week. In the meantime, the council had to hire private security responders and rely on its own contingency reserves. Despite promises, only around £3.6 million of the £11.3 million tab for recovery was covered by central grants—the other £7 million hit local coffers hard.
The crisis resolution stretched long, roughly 10 months, to fully rebuild the council’s IT infrastructure. By December 2020, operations were officially back online, albeit with scars still fresh.

The Shadow Behind the Siege: Conti Revealed
At the time, the identity of the cyber-culprits remained a mystery. The tumult of Russia’s invasion of Ukraine in 2022 brought attention to one of the world’s most notorious ransomware groups. The Conti syndicate was thrust into the spotlight.
Conti, a Russian-based operation born from the “Wizard Spider” crew, had become a powerhouse of ransomware-as-a-service. Its operations were bold, brutal, and global. The U.S. government placed multimillion-dollar bounties on its leadership. Then the leaks began. Around 60,000 internal chat messages, posted online by Ukrainian-aligned anti-Russian hackers, revealed Conti’s inner workings—its politics, profits, and personnel.
Vitaliy Kovalev, alias “Bentley”, was among the names. He is a Russian national who has been placed on the National Crime Agency’s wanted list. Fellow cyber-operatives were known by their handles “Globus” and “Mushroom”. They were all cited in the leaked chat logs as key players in Russia’s ransomware underworld. British authorities believe these men played a crucial role in Conti’s campaigns. They coordinated extortion attempts targeting not only councils like Redcar & Cleveland but also hospitals. Corporations and schools were also targeted.
By the Numbers & the Aftermath
| Impact Metric | Detail |
|---|---|
| Population affected | ~135,000 residents |
| Recovery cost | ~£11.3 million total; only ~£3.6 million covered by central funds |
| Downtime | Full IT outage; essential services disabled for months |
| Suspected group | Russian Conti syndicate, exposed in Ukrainian leaks |
| Key suspects | Vitaliy Kovalev (“Bentley”), “Globus”, and “Mushroom” – all wanted by the NCA |
The Cybercrime Rogues’ Gallery
WANTED BY THE NCA
Profiles of the suspected Conti ringleaders linked to global ransomware operations.
Vitaliy Kovalev – “Bentley”
- Nationality: Russian
- Known role: Senior organiser, Conti syndicate
- Modus operandi: Oversaw deployment of ransomware and laundering of proceeds.
- Status: Publicly named by UK authorities; subject of international arrest warrants.
Valentin Karyagin – “Globus”
- Alias is believed to be used by another Russian Conti affiliate.
- Role: Technical operator, responsible for intrusion techniques and victim communication.
- Notorious for: Direct involvement in ransom negotiations and pressuring victims into payment.
Ivan Vakhrameyev – “Mushroom”
- Handle uncovered in the Ukrainian leak of 2022.
- Believed to be: Developer/cryptographer for the Conti group.
- Contribution: Helped design encryption modules that locked victim data.
- Current whereabouts: Unknown, suspected to remain in Russia under the protection of criminal networks.

A Warning Written in Code
Redcar & Cleveland’s ordeal was more than a local disaster—it was a harbinger. A single email, a silent trigger, and an entire council was held hostage by faceless criminals half a world away. The later revelations surrounding Conti exposed ringleaders like Kovalev, Globus, and Mushroom. These revelations confirmed what many feared. Ransomware was no longer mere cybercrime. It had become a weapon of international reach.
The injustice is hard to ignore. A council in northern England was working to empty bins and support vulnerable residents. Instead, it was forced to fight a shadow war against some of Russia’s most notorious cybercriminals.
And if it can happen in Redcar, it can happen anywhere.
