Internal correspondence between the leaders of the group sheds light on its structure and activities.
The Wired edition managed to get acquainted with previously unpublished documents containing hundreds of messages that were exchanged between members of the notorious cyber-extortionist group Trickbot. The internal correspondence of one of the key members of the group under the pseudonym Target with accomplices during the period from summer to autumn 2020 sheds light on how the group was organized and how it acted. A few months later, US Cyber Command removed much of Trickbot’s infrastructure and temporarily disrupted its operations.
The group is known for attacking medical facilities, although this is taboo for many cyber-ransomware. Judging by the correspondence, Trickbot was preparing to attack medical facilities throughout the United States. Cyber-ransomware was guided by a simple logic – at the peak of the Covid-19 pandemic, hospitals will react very quickly and pay ransoms in order to get back to work as soon as possible. In particular, Target provided a list of 428 hospitals and stated that “panic will begin soon.”
The backbone of the group consists of five key members. Each participant has a role to play – someone leads the development teams, and someone is responsible for the deployment of ransomware. The head of the organization is someone Stern.
In an email dated August 20, 2020, Target reported to Stern about Trickbot’s plans to expand its operations in the coming weeks. In particular, by the end of September it was planned to open six offices for 50-80 people and not just anywhere, but in St. Petersburg. According to Kimberly Goody, head of analytics at security company Mandiant, it is “most likely” that many Trickbot operations are conducted from this city.
According to correspondence between Target and Stern, the group had three main items of expenditure in mid-2020. Two offices (main and training) were used for current operations. The “hacker” office, with more than 20 employees, was used for interviewing, hiring, as well as for storing equipment and hosting servers.
Judging by the repeated references to “senior managers” in the messages, Trickbot was a kind of corporate structure, and junior staff almost never interacted with senior staff.
The ransomware was deployed by a Professor, who is also associated with the Conti cyber-ransomware group.
In addition to Conti, Trickbot “learned to cooperate” with other groups, in particular with the Ryuk extortionists.
The group hired software developers through ads on forums on the darknet, as well as on open Russian-language sites for freelancers. Of course, the sites on the open Internet did not report that applicants were being offered jobs in a cybercriminal organization. For example, one ad required an experienced reverse engineer with C++ knowledge, ostensibly to work on building web browsers for Windows.
The selection process of candidates took place in several stages in order to weed out those who did not have enough necessary skills, as well as employees of information security companies working “undercover”.
Despite the recent arrests of members of cyber-extortion groups, Trickbot does not seem to have disappeared. On the contrary, according to IBM Security senior consultant Limor Kessem, the group stepped up its operations towards the end of last year. Since early 2022, the IBM security team has been watching Trickbot step up its efforts to bypass security features and hide its activities.