Trickbot ransomware wanted to open offices in St. Petersburg

Wired managed to get acquainted with previously unpublished documents containing hundreds of messages exchanged between members of the notorious cyber-extortionist group Trickbot, for example, it says that the criminals wanted to open offices in Russia.

The internal correspondence of one of the key members of the group under the pseudonym Target with accomplices during the period from summer to autumn 2020 sheds light on how the group was organized and how it acted. A few months later, US Cyber Command removed much of Trickbot’s infrastructure and temporarily disrupted its operations.

The group is known for attacking medical facilities, although this is taboo for many cyber-ransomware. Judging by the correspondence, Trickbot was preparing to attack medical facilities throughout the United States. Cyber-ransomware was guided by a simple logic – at the peak of the Covid-19 pandemic, hospitals will react very quickly and pay ransoms in order to get back to work as soon as possible.

You see, how fast, hospitals and centers reply. Answers from the rest, [take] days. And from the ridge immediately the answer flew in.Target, a key member of the Russia-linked malware gang, boasted in messages to one of their colleagues.

In particular, Target provided a list of 428 hospitals and stated that “panic will begin soon.”

The backbone of the group consists of five key members. Each participant has a role to play – someone leads the development teams, and someone is responsible for the deployment of ransomware. The head of the organization is someone Stern.

In an email dated August 20, 2020, Target reported to Stern about Trickbot’s plans to expand its operations in the coming weeks. In particular, by the end of September it was planned to open six offices for 50-80 people and not just anywhere, but in St. Petersburg. According to Kimberly Goody, head of analytics at security company Mandiant, it is “most likely” that many Trickbot operations are conducted from this city.

According to correspondence between Target and Stern, the group had three main items of expenditure in mid-2020. Two offices (main and training) were used for current operations. The “hacker” office, with more than 20 employees, was used for interviewing, hiring, as well as for storing equipment and hosting servers.

Judging by the repeated references to “senior managers” in the messages, Trickbot was a kind of corporate structure, and junior staff almost never interacted with senior staff.

The ransomware was deployed by a Professor, who is also associated with the cyber-ransomware group Conti.

In addition to Conti, Trickbot “learned to cooperate” with other groups, in particular with the Ryuk extortionists.

The group hired software developers through ads on forums on the darknet, as well as on open Russian-language sites for freelancers. Of course, the sites on the open Internet did not report that applicants were being offered jobs in a cybercriminal organization. For example, one ad required an experienced reverse engineer with C++ knowledge, ostensibly to work on building web browsers for Windows.

The selection process of candidates took place in several stages in order to weed out those who did not have enough necessary skills, as well as employees of information security companies working “undercover”.

Despite the recent arrests of members of cyber-extortion groups, Trickbot does not seem to have disappeared. On the contrary, according to senior security consultant IBM Security Limor Kessem, by the end of last year, the group increased its operations. Since early 2022, the IBM security team has been watching Trickbot step up its efforts to bypass security features and hide its activities.

Recall that we talked about the fight of law enforcement officers against Trickbot developers: in July 2021 US police arrest Latvian citizen suspected of developing TrickBot, in September TrickBot developer arrested in Seoul, where he stuck due to restrictions related to COVID-19, in November TrickBot developer Vladimir Danaev extradited to the USA, but, for example, Emotet Botnet Returns After Law Enforcement Operation and Teams with TrickBot.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button