Trickbot Members Sanctioned for Pandemic-Era Ransomware Hits

The US and the UK have issued joint sanctions against alleged members of the TrickBot cybercrime gang for their role in cyberattacks against critical infrastructure.

Trickbot, as a malware, began life as a lowly banking Trojan before its authors started adding modules for other forms of malicious activity. It thus evolved into a multifaceted cyber-Swiss Army knife, often used as a first- or second-stage implant that, once ensconced on a victim machine, fetches ransomware or other payloads. The group ultimately grew into to acting as a ransomware affiliate for Conti and other groups. 

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," according to an announcement from the US Treasury Department. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

The announcement, intriguingly, ties the seven sanctioned people to Russian Intelligence Services, since the 2020 attacks "aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services. This included targeting the US government and US companies." Trickbot has previously been widely considered to be a financially motivated cybercrime gang, Russian-speaking but not Russia-sponsored.

The sanctioned individuals are:

The sanctions mean that the government can seize any assets that they may have in the US or UK, and it prevents US- and UK-based organizations and individuals from doing business with them. All seven perps remain at large, presumably under the comforting protection of the Russian state, which continues to look the other way when it comes to cybercriminals residing within its borders.

"These sanctions are a welcome sight although they may be academic," Timothy Morris, chief security adviser at Tanium, tells Dark Reading. "What it would, or should do, is make it harder for the seven involved to launder their ill-gotten gains. Also, they will probably be careful with any vacation plans for fear of capture or extradition. It is good to see sanctions and takedowns that have cross-jurisdiction cooperation."

As for the gang itself, a law-enforcement takedown in 2020 saw its activity slowly "wither," according to a report last year from Intel 471, with the malware's operators instead turning to the Emotet botnet to continue its incursions into businesses.

"We've not seen any Trickbot activity since the Feb. 2022 blog post," Michael DeBolt, chief intelligence officer at Intel 471, said in an emailed statement. "It is highly likely that Trickbot won't be seen again. One possible scenario is that the source code may be sold or leaked, and other threat actors could re-use it or fork the source into a new project."