A top ransomware distributor has targeted Ukraine six times since Russia’s invasion
- As Villadsen put it: “We have a shift in their targeting, it coincides with the invasion of Ukraine, and we are seeing both indiscriminate and targeted attacks — all of which signal a fairly big change in the criminal ecosystem.”
- “It’s invulnerable because it’s a marketplace,” Mandiant Vice President John Hultquist told me. “Any single actor can be replaced by a dozen high-value alternatives.”
- “They seemed to have launched a number of brands,” said Emsisoft analyst Brett Callow. “It’s hard to say who is what. There is considerable crossover between the groups.”
In a report out this morning, IBM security researchers say that Trickbot, one of the most active ransomware distributors of the past several years, has hit targets inside Ukraine in six separate campaigns since Russia invaded in February.
While the first two of those efforts were scattershot, looking to infect anyone, some in May and June were carefully selected elements of critical infrastructure, where the group installed Cobalt Strike, a common exploitation tool that typically needs hands-on governance. That suggests that the longtime money-chasers were doing work on behalf of the Russian government, or at a minimum in enthusiastic support of it.
IBM based its analysis on malware samples uploaded by victims to VirusTotal, senior researcher Ole Villadsen told me. Those provided links between various campaigns, in part when the same encryption scheme was used.
The encryption deployed in the recent Ukraine waves isn’t necessarily limited to use by Trickbot alone, but Villadsen said IBM believes it circulates only among those with strong ties to the group, what he termed “friends and family.”
Trickbot means different things to different people, especially to experts.
It began life as a banking credential-stealer in 2016, even then overlapped with a crime group some believed was close to Russian authorities, known as Dyre. (That speculation increased when authorities conducted a raid on the gang and then never announced charges.)
It then began offering services to other gangs, who paid it to install their own malware. When the crime of the moment became ransomware, that’s where the Trickbot network went as well, putting Ryuk and other nastiness on machines worldwide.
Trickbot as a whole has perhaps up to 200 people, mostly in the services-for-others wing, or did before U.S. Cyber Command and Microsoft tried hard to disrupt its operations nearly two years ago.
But it has a core leadership that directs some of the outfit’s own operations. Many analysts say that now includes the nice people behind Conti, the ransomware that has picked its targets carefully and raked in millions of dollars in multiple scores.
It is this same core group that Villadsen said is now running the latest Ukrainian operations.
Conti and Russia
If that checks out — Caveat 2: A competitor said he didn’t agree with some of IBM’s assumptions — it would fit with Conti’s post-invasion declaration of loyalty to the Russian government. That same declaration backfired when a Ukrainian member of the group quit and posted reams of internal chats, including one in which two other members discussed setting up a separate office solely for government business.
The leaks included names and addresses of some Conti leaders but mysteriously led to no known arrests; in retrospect, that could have given Russian national authorities more leverage over the gang.
That leak also cost Conti credibility with its outside affiliates who installed its ransomware in exchange for a cut of the profits, and the group appeared to splinter after one last hurrah, the ransoming of the entire government of Costa Rica.
Some researchers said Conti was slimming down just to Russian employees. Others said it was giving up the Conti brand and using a grab bag of new names. A senior federal official told me the jury is still out.
As I said, this world was already murky, which is a problem not just for analysts and reporters but for law enforcement trying to beat the odds and hold someone accountable, at least when they travel somewhere with extradition.
Part of the murk is that many crime groups use multiple services for distribution, including Trickbot.
Caveat 3: When one group moves too close to the Russian government and gets sanctioned, it changes names and often infrastructure and partners.
That said, a major group carrying water for a government’s war objectives is major new territory, Callow and others said.
