Trickbot ransomware wanted to open offices in St. Petersburg

Wired managed to get acquainted with previously unpublished documents containing hundreds of messages exchanged between members of the notorious cyber-extortionist group Trickbot, for example, it says that the criminals wanted to open offices in Russia.

The group is known for attacking medical facilities, although this is taboo for many cyber-ransomware. Judging by the correspondence, Trickbot was preparing to attack medical facilities throughout the United States. Cyber-ransomware was guided by a simple logic – at the peak of the Covid-19 pandemic, hospitals will react very quickly and pay ransoms in order to get back to work as soon as possible.

In particular, Target provided a list of 428 hospitals and stated that “panic will begin soon.”

The backbone of the group consists of five key members. Each participant has a role to play – someone leads the development teams, and someone is responsible for the deployment of ransomware. The head of the organization is someone Stern.

In an email dated August 20, 2020, Target reported to Stern about Trickbot’s plans to expand its operations in the coming weeks. In particular, by the end of September it was planned to open six offices for 50-80 people and not just anywhere, but in St. Petersburg. According to Kimberly Goody, head of analytics at security company Mandiant, it is “most likely” that many Trickbot operations are conducted from this city.

According to correspondence between Target and Stern, the group had three main items of expenditure in mid-2020. Two offices (main and training) were used for current operations. The “hacker” office, with more than 20 employees, was used for interviewing, hiring, as well as for storing equipment and hosting servers.

Judging by the repeated references to “senior managers” in the messages, Trickbot was a kind of corporate structure, and junior staff almost never interacted with senior staff.

The ransomware was deployed by a Professor, who is also associated with the cyber-ransomware group Conti.

In addition to Conti, Trickbot “learned to cooperate” with other groups, in particular with the Ryuk extortionists.

The group hired software developers through ads on forums on the darknet, as well as on open Russian-language sites for freelancers. Of course, the sites on the open Internet did not report that applicants were being offered jobs in a cybercriminal organization. For example, one ad required an experienced reverse engineer with C++ knowledge, ostensibly to work on building web browsers for Windows.

The selection process of candidates took place in several stages in order to weed out those who did not have enough necessary skills, as well as employees of information security companies working “undercover”.

Recall that we talked about the fight of law enforcement officers against Trickbot developers: in July 2021 US police arrest Latvian citizen suspected of developing TrickBot, in September TrickBot developer arrested in Seoul, where he stuck due to restrictions related to COVID-19, in November TrickBot developer Vladimir Danaev extradited to the USA, but, for example, Emotet Botnet Returns After Law Enforcement Operation and Teams with TrickBot.