Trickbot indictment demonstrates how one hacking tool built on older malware
More than five years ago, Russian authorities reportedly raided a Moscow-based film company affiliated with the scammers behind Dyre, a notorious piece of malicious software linked with tens of millions of dollars in losses.
No charges against the hackers were made public, but scams using the Dyre banking trojans seemed to abruptly disappear.
A U.S. indictment unsealed last week confirmed what security researchers had long suspected: From the ashes of Dyre sprung TrickBot, a piece of malicious code that has caused untold financial costs by infecting tens of millions of computers worldwide and playing a part in a series of ransomware attacks. TrickBot rose to such prominence, and menace, that U.S. military hackers took aim at its infrastructure ahead of the 2020 election to reduce the potential for ransomware attacks that could disrupt the vote.
The episode exemplifies how cybercriminal groups can evolve and, drawing on old hacking tools, haunt U.S. organizations for years to come. And, as Joe Biden prepares to press Vladimir Putin on Russia-based ransomware gangs, the Dyre-TrickBot evolution offers another example of the long tail of lax law enforcement in Russia.
“It speaks to the resiliency of [organized cybercriminal] groups,” said Michael DeBolt, senior vice president for global intelligence at security firm Intel471. “The indictment illuminates the sheer scale and organization of the operation.”
The indictment charges Alla Witte, a 55-year-old Latvian woman, with writing computer code to deploy ransomware and collect extortion payments. She was arrested in February in Miami, and arraigned in federal court in Cleveland on Friday.
The raid was on a Moscow company called 25th Floor that produces movies in Russia and abroad. The company was then working on a cybercrime movie, called “Botnet,” that was loosely based on a 2010 cybercrime case that involved charges against dozens of people in the U.S., Reuters reported in 2016.
Whatever happened during the 2015 raid, DeBolt said, it disrupted the criminal enterprise behind Dyre and forced the scammers to recruit freelance hackers on multiple online forums. One of the recruits appears to be Witte, who maintained a website advertising her computer skills.
Nearly a year after the Russian raid, analysts at Fidelis Cybersecurity made direct links between Dyre and TrickBot, citing uncanny similarities in the code. But Hardik Modi, who was then a vice president at Fidelis, said it would have been difficult to foresee what a menace TrickBot would become.
“We knew [TrickBot] was a rampant at the time,” Modi said. But the malware’s transformation into a “gateway to ransomware” is its biggest impact on the cybersecurity landscape today, he added.
TrickBot gained notoriety when cybercriminals used the malware to assemble a vast botnet, or army of compromised computers. U.S. Cyber Command and tech companies sought to knock some of TrickBot’s infrastructure offline during the 2020 election season, but the botnet has lived on.
For now, Witte’s indictment is resulting in new findings about TrickBot itself.
“One interesting revelation in the indictment was that Witte [allegedly] developed a ransomware module for TrickBot itself,” said Katie Nickels, director of intelligence at cybersecurity company Red Canary.
“While cybersecurity researchers have tracked TrickBot for years — and it is widely known as a ‘precursor’ to Ryuk ransomware — there is little public research about the existence of a ransomware component of TrickBot,” Nickels added.
TrickBot will continue to be a menace to organizations, according to experts. And the indictment names more than a dozen other people known to the grand jury who are allegedly involved in TrickBot.
“There’s a reason why arresting people who are behind this is so difficult,” said DeBolt, of Intel471. “They make it difficult. And they know that’s one of the only ways you can put an end to these groups.”