A Ukrainian researcher revealed the operations of Trickbot, one of the most powerful cybercriminal enterprises with its Conti ransomware, after the group defended Russia; chats range from hospital attack plan to hackers grousing about vacation
US authorities and cybersecurity researchers foiled large parts of the plan, warning hospitals before the hackers’ ransomware could be installed, but the hackers shrugged off the setback, according to a cache of data and documents leaked online in recent weeks.
The hacking enterprise, called the Trickbot Group by federal prosecutors, and its affiliates had already collected hundreds of millions of dollars by shutting down emergency rooms, city governments and public schools since 2018.
“I find it all funny,” wrote a Trickbot hacker who used the pseudonym “target,” in a message, after the plan was thwarted, to “stern,” the group’s leader and paymaster.
This wide-open view of the inner workings of what is perhaps the world’s biggest and most dangerous organized cybercrime group is a surprising result of the war in Ukraine. An anonymous researcher who had infiltrated the group’s servers, and who identified himself as Ukrainian, posted the data on Twitter on Feb. 27. “Ukraine will Rise!” he then wrote in a March 2 tweet.
Security researchers and US officials say the internal conversations amount to the most complete and candid public look yet at the operations of a criminal ransomware enterprise. US authorities have been tracking the Trickbot group, but little was known publicly about its operations and internal deliberations before the cache of documents surfaced.
More than 200,000 messages exchanged by 450 Trickbot managers, staff and business partners since June 2020 reveal a well-organized criminal syndicate with possible connections to Russian intelligence agencies. They show an organizational resilience that allowed the group to rapidly recover from counterattacks by international law-enforcement coalitions, and grand ambitions to diversify and develop a cryptocurrency.
Life inside the group swings wildly between the dangerous and the mundane, with managers at once hatching extravagant plans, such as opening a pro-Russian espionage division, while also budgeting vacation time and smoothing over workforce conflicts.
Russia’s invasion of Ukraine last month prompted the researcher to leak the information, according to two people who know him and can verify the work he did to capture Trickbot communications and pass them on to Western cybersecurity professionals. The researcher didn’t respond to requests for comment sent to him via an intermediary.
US law-enforcement officials haven’t publicly verified the materials. Cybersecurity researchers and former security officials say the chat logs and other leaked documents appeared to be authentic. The Federal Bureau of Investigation declined to comment.
The data include technical details that align with attacks using ransomware called Conti that Trickbot has previously claimed, as well as a breach previously attributed by security experts to another strain of ransomware developed by the group called Ryuk, according to an analysis of the data by Businesshala.
A malware developer participating in the chats used a nickname previously identified in a federal indictment as a coder for Trickbot. And gaps in the logs coincide with periods when the group’s computer infrastructure was known to have been disrupted by law enforcement or intelligence agencies, according to security researchers and the security blogger Brian Krebs.
Credit: www.Businesshala.com /