Trickbot Strikes Back

Trickbot Strikes Back
Photo: Chip Somodevilla, Getty Images

A notorious group of cybercriminals whose operations were almost totally dismantled last year seems to be back in business — in yet another example of the seemingly intractable nature of cybercrime.

The Russian-speaking group known as “Trickbot” (which is also the name of the malware that they’re responsible for creating and distributing), has built up its infrastructure and seems to be preparing for some nefarious new campaign, The Daily Beast first reported.

The group, which has been connected to ransomware attacks and widespread theft of financial information, is an outgrowth of an older, Russia-based cybercrime group called “Dyre.” After Dyre was initially broken up by Russian authorities back in 2015, the remaining members regrouped, creating new malware tools and working to employ them in even more expansive criminal enterprises. Trickbot, which today operates out of numerous places in Eastern Europe — including Russia, Ukraine, Belarus, and others — is perhaps best known for running one of the world’s largest botnets.

Botnets are large networks of “zombie” devices — computers that have been infected with special kinds of malware that allow them to be collectively controlled by a hacker, typically for malicious purposes. In Trickbot’s case, the group has used its million-plus botnet for an assortment of sordid activities, including helping to launch ransomware attacks throughout the world.

Last fall, the Pentagon’s Cyber Command attempted to debilitate Trickbot, fearing that hackers connected to the group might attempt to interfere with the 2020 presidential election. CYBERCOM launched a series of “coordinated attacks” against Trickbot’s servers, ultimately succeeding in disrupting its operations. However, it was clear that federal officials did not expect their efforts to be a long-term deterrent, with anonymous sources telling the Washington Post that the action was “not expected to permanently dismantle the network.”

Around the same time, Microsoft launched its own campaign that was also targeted at dismantling the group. The company tracked and analysed the servers that were involved in operating the botnet, subsequently garnering a court order that allowed them to disable the IP addresses connected to those servers. Microsoft’s operation even involved working together with ISPs to reportedly go “door to door” in Latin America, where they helped to replace routers that had been compromised by the criminal group.

However, as is often the case with cybercrime, few of the culprits behind the malware’s distribution were ever tracked down or faced charges. Earlier this year, a 55-year-old Latvian woman who was known by the online pseudonym “Max” was arrested and charged in federal court for her role in facilitating Trickbot operations. However, she was merely one member — the others appear to be back to business as usual.

Indeed, a recent report from security firm Fortinet seems to show that the group has allegedly helped create a new strain of ransomware, dubbed “Diavol.” On top of this, another report from BitDefender shows that the group has built back up its infrastructure and that it has recently been seen gearing up for new attacks and malicious activity, with the firm ultimately noting that “Trickbot shows no sign of slowing down.”

The critical problem with cybercrime is the same as other types of crime: If you don’t nab the actual criminals, they’re just going to be back out on the street next week doing the same thing. And, unlike other types of crime, the jurisdictional problems and anonymity of cybercrime make it so much more difficult to do said nabbing.