![](\"https:\/\/media.wired.com\/photos\/61f888d17e1d5d6f07fba6b1\/master\/pass\/Security-Russia-Ransomware-Trickbot-1327818236.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Tue, 01 Feb 2022 12:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n When the phones<\/span> and computer networks went down at Ridgeview Medical Center\u2019s three hospitals on October 24, 2020, the medical group resorted to a Facebook post<\/a> to warn its patients about the disruption. One local volunteer-run fire department said<\/a> ambulances were being diverted to other hospitals; officials reported<\/a> patients and staff were safe. The downtime at the Minnesota medical facilities was no technical glitch; reports<\/a> quickly linked the activity to one of Russia\u2019s most notorious ransomware gangs.<\/p>\n Thousands of miles away, just two days later members of the Trickbot cybercrime group privately gloated over what easy targets hospitals and health care providers make. \u201cYou see, how fast, hospitals and centers reply,\u201d Target, a key member of the Russia-linked malware gang, boasted in messages to one of their colleagues. The exchange is included in previously unreported documents, seen by WIRED, that consist of hundreds of messages sent between Trickbot members and detail the inner workings of the notorious hacking group. \u201cAnswers from the rest, [take] days. And from the ridge immediately the answer flew in,\u201d Target wrote.<\/p>\n As Target typed, members of Trickbot were in the middle of launching a huge wave of ransomware attacks<\/a> against hospitals across the United States. Their aim: to force hospitals busy responding to the surging Covid-19 pandemic to quickly pay ransoms. The series of attacks prompted urgent warnings from federal agencies<\/a>, including the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. \u201cFuck clinics in the usa this week,\u201d Target said as they gave the instruction to start targeting a list of 428 hospitals. \u201cThere\u2019s gonna be a panic.\u201d<\/p>\n The documents seen by WIRED include messages between senior members of Trickbot, dated from the summer and autumn of 2020, and expose how the group planned to expand its hacking operations. They lay bare key members\u2019 aliases and show the ruthless attitude of members of the criminal gang.<\/p>\n The messages were sent in the months before and shortly after US Cyber Command disrupted<\/a> much of Trickbot\u2019s infrastructure and temporarily stopped the group\u2019s work. Since then the group has scaled up its operations and evolved its malware<\/a>, and it continues to target businesses around the world. While Russia\u2019s \u200b\u200bFederal Security Service has recently arrested members of the REvil<\/a> ransomware gang\u2014following diplomatic efforts<\/a> between presidents Joe Biden and Vladimir Putin\u2014Trickbot\u2019s inner circle has so far been left relatively unscathed.<\/p>\n \u201cThey're trying to infect as many people as possible.\u201d<\/p>\n Limor Kessem, IBM Security<\/p>\n The Trickbot group evolved from the banking trojan Dyre around the end of 2015, when Dyre\u2019s members were arrested<\/a>. The gang has grown its original banking trojan to become an all-purpose hacking toolkit; individual modules, which operate like plugins, allow its operators to deploy Ryuk and Conti ransomware, while other functions enable keylogging and data collection. \u201cI don't know any other malware families that have so many modules or extended functionalities,\u201d says Vlad Pasca, a senior malware analyst at security company Lifars who has decompiled Trickbot\u2019s code. That sophistication has helped the gang, also known as Wizard Spider, collect millions of dollars from victims.<\/p>\n A core team of around half a dozen criminals sits at the heart of Trickbot\u2019s operations, according to the documents reviewed by WIRED and security experts who track the group. Each member has their own specialities, such as managing teams of coders or heading up ransomware deployments. At the head of the organization is Stern. (Like all the monikers used in this story, the real-world name, or names, behind the handles are unknown. They are, however, the identities the group uses when talking to each other.)<\/p>\n \u201cHe is the boss of Trickbot,\u201d says Alex Holden, who is CEO of cybersecurity firm Hold Security and has knowledge of the workings of the gang. Stern acts like a CEO of the Trickbot group and communicates with other members who are at a similar level. They may also report to others who are unknown, Holden says. \u201cStern does not get into the technical side as much,\u201d he says. \u201cHe wants reports. He wants more communication. He wants to make high-level decisions.\u201d<\/p>\n On August 20, 2020, the chat logs\u2014provided by a cybersecurity source with knowledge of the group\u2014show Target briefing Stern on how the group would expand in the coming weeks. \u201cThere will be 6 offices for sure and 50-80 people by the end of September,\u201d Target said in one of a flurry of 19 messages. These offices are believed to be based in Russia\u2019s second-largest city, Saint Petersburg. Kimberly Goody, director of cybercrime analysis at security firm Mandiant, says the group \u201cmost likely\u201d has a significant presence there. Current estimates say Trickbot has anywhere from 100 to 400 members, making it one of the largest cybercrime groups in existence.<\/p>\n Messages between Target and Stern show that in mid-2020 the group was spending money on three main areas. Two offices\u2014\u201cone main and one new for training\u201d\u2014were being used for the current operators\u2019 expenses and expansion. \u201cHacker offices,\u201d where 20-plus people worked, would be used for interviews, equipment, servers, and hiring, Target said. And finally, there would be an office for \u201cprogrammers\u201d and their equipment. \u201cA good team leader has already been hired, and he will help gather the team,\u201d Target continued. \u201cI\u2019m sure that everything will pay off, so I\u2019m not nervous.\u201d<\/p>\n Throughout the conversations viewed by WIRED, the group makes various references to \u201csenior managers\u201d working as part of Trickbot and its businesslike structure. \u201cThere is generally a core team of developers,\u201d Goody explains. \u201cThere's a manager who oversees development work, and they have coders that work under them on specific projects.\u201d Members of the group are encouraged to propose ideas, such as new scripts or malware, that developers could work on, Goody says, and generally the lower-level workers don\u2019t talk to their senior colleagues. Most of the group\u2019s internal conversations, according to various sources\u2014including US court documents\u2014happen through instant messages on Jabber servers.<\/p>\n A gang member going by the moniker Professor oversees much of the ransomware deployment work, Goody says. \u201cProfessor, who we believe also goes by the name Alter, seems to be a relatively significant player in terms of managing these specific ransomware deployment operations,\u201d Goody says, \u201cas well as requesting development of specific tools that would help enable those.\u201d She adds that Professor has been linked to Conti ransomware operations in the last year and \u201cappears to lead multiple sub-teams or has multiple team leaders\u201d that report to them.<\/p>\n That wouldn\u2019t be the only working relationship Trickbot\u2019s team has with outside parties. In the conversations seen by WIRED, Target says the group will \u201clearn to collaborate\u201d with those behind the Ryuk ransomware, indicating that the two organizations are largely separate. And while the Trickbot group hasn\u2019t been linked to hacking operations run by the Russian state\u2014such as the activities of Sandworm<\/a>\u2014the core members of the gang make reference to Kremlin-backed activities. Stern mentioned setting up an office \u201cfor government topics\u201d in July 2020. In response, Professor said the hacking group Cozy Bear<\/a> is \u201cworking their way down the list\u201d of potential Covid-19 targets.<\/p>\n In one set of internal conversations, Target answers questions from a group member who is concerned about being caught. The person is worried that colleagues could expose their locations, through leaking their IP addresses, when they don\u2019t use a VPN to mask their whereabouts. Target says IP address exposure shouldn\u2019t be a problem: \u201cHere it is guaranteed that no one will touch you and you are probably not going to fly somewhere anyway.\u201d<\/p>\n Prior to the REvil arrests, the Kremlin and Russian authorities spent years allowing ransomware groups believed to be based in the country to operate with relative impunity. \u201cThere seems to be very deliberate separation and non-attacks of any Russian interests by Trickbot, Ryuk, Emotet, and Conti because they don\u2019t want confrontation with the government,\u201d Holden says. However, not all of Trickbot\u2019s members are in Russia. The conversations among the group viewed by WIRED reveal at least two members appear to be based in Belarus\u2014during the summer of 2020 when Belarus shut down the internet<\/a> Stern said that one member, a coder called Hof, would not be online until \u201cthe internet problem in Belarus is solved.\u201d<\/p>\n These exchanges likely comprise only a small element of the group\u2019s interactions. Some details of TrickBot\u2019s inner workings were also revealed in June and October 2021, when the US Department of Justice unsealed and unredacted charges against two alleged Trickbot members, Alla Witte and Vladimir Dunaev<\/a>. The indictment, which also covers other unnamed members of the Trickbot group, focuses on the group\u2019s hacking and money laundering but also provides snippets of conversations. Goody says some private communication channels can contain dozens of members of the group.<\/p>\n Coders and developers recruited by Trickbot are drawn in from job postings on dark web forums but also on open web Russian-language freelancer websites, the DOJ indictment says. While many of the job ads are hiding in plain sight, they don\u2019t explicitly say successful applicants will be working for one of the world\u2019s most ruthless cybercriminal groups. One job ad the indictment points to calls for someone who is an experienced reverse engineer and knows the coding language C++. The ad, which has long-since expired, says the job was focused around web browsers on Windows, involved working remotely, and had a budget of $7,000. A long-term position would potentially be possible if the work was completed successfully, the ad says.<\/p>\n Holden says Trickbot uses multiple layers during its hiring process in an effort to weed out those without the technical skills needed, and also cybersecurity companies trying to gather intelligence. Anyone applying for work has to pass an initial screening before moving on to tough skills tests, he says. \u201cThe questions are very complex technologically,\u201d he explains. Goody adds that penetration testers working for the group can be paid $1,500 per month, plus a cut of ransoms that are paid.<\/p>\n During the recruitment process, Holden says, it is \u201cacknowledged\u201d that these aren\u2019t everyday roles. Holden says he has seen ads that tell potential recruits they will be working for a startup involved in bug bounties, and that most of its funding comes from abroad. \u201cThe majority understand that this is blackhat and asking for the commercial target,\u201d Trickbot conversations within the DOJ indictment say, referring to criminal hacking activities. \u201cWe need to stop communicating with idiots.\u201d<\/p>\n The two alleged members of Trickbot named by the DOJ\u2014Witte and Dunaev\u2014were arrested by law enforcement outside of Russia. Witte, a 55-year-old Latvian national who lived in Suriname, was arrested in June 2021 while traveling to Miami and is charged with 19 counts that range from identity theft to bank fraud. She\u2019s accused<\/a> of being one of Trickbot\u2019s malware developers and allegedly exposed herself after hosting Trickbot\u2019s malware on her personal domain name. Dunaev, 38, was extradited from the Republic of Korea to Ohio in October 2021 and is also accused<\/a> of developing Trickbot\u2019s malware.<\/p>\n Despite the arrests and wider ransomware crackdowns in Russia, the Trickbot group has not exactly gone into hiding. Toward the end of last year, the group boosted its operations<\/a>, says Limor Kessem, an executive security advisor at IBM Security. \u201cThey're trying to infect as many people as possible by contracting out the infection,\u201d she says. Since the start of 2022, the IBM security team has seen Trickbot increase its efforts to evade security protections and conceal its activity<\/a>. The FBI also formally linked the use of the Diavol ransomware to Trickbot at the beginning of the year. \u201cTrickbot doesn't seem to be targeting very specifically; I think what they have is numerous affiliates working with them, and whoever brings the most money is welcome to stay,\u201d Limor says.<\/p>\n Holden too says he has seen evidence that Trickbot is ramping up its operations. \u201cLast year they invested more than $20 million into their infrastructure and growth of their organization,\u201d he explains, citing internal messages he has seen. This money, he says, is being spent on everything Trickbot does. \u201cStaffing, technology, communications, development, extortion\u201d are all getting extra investment, he says. The move points to a future where\u2014after the takedown of REvil\u2014the Trickbot group may become the primary Russia-linked cybercrime gang. \u201cYou expand in the hope of getting that money back in spades,\u201d Holden says. \u201cIt\u2019s not like they are planning to close the shop. It\u2019s not like they are planning to downsize or run and hide.\u201d<\/p>\n