When the phone and computer networks were down at three Ridgeview Medical Center hospitals on October 24, 2020, the medical team used Facebook post to warn its patients of the interruption. A fire department run by local volunteers speak ambulances were diverted to other hospitals; officials report Patients and staff were safe. Downtime at medical facilities in Minnesota was free of technical problems; report quickly linked operations with one of Russia’s most notorious ransomware gangs.
Thousands of miles away, just two days later, members of the Trickbot cybercriminal group gloated over what so easily targeted hospitals and healthcare providers. “You see, how quickly hospitals and centers respond,” said Target, a key member of a Russia-linked malware gang, in a text message to one of his colleagues. surname. The exchange is included in previously unreported documents, seen by WIRED, which include hundreds of messages sent between Trickbot members and detail the inner workings of the notorious hacking group. “Answers from the rest, [take] day. And from the ridge immediately the answer flew,” wrote Target.
As Target entered, members of Trickbot are in the midst of a massive rollout ransomware attack wave against hospitals across the United States. Their purpose: to force hospitals busy responding to the growing Covid-19 pandemic to quickly pay the ransom. A series of attacks prompted Urgent warnings from federal agencies, including the Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation. “Bad clinics in the US this week,” Target said as it issued directives to begin targeting a list of 428 hospitals. “There will be a panic.”
Documents seen by WIRED include messages between senior members of Trickbot, from the summer and fall of 2020, and reveal how the group plans to expand its hacking activity. They put the aliases of key members and show the ruthless attitude of the members of the criminal gang.
Messages sent in the months before and soon after US Cyber Command is disrupted much of Trickbot’s infrastructure and temporarily halts team work. Since then, the group has expanded its activities and its malware developmentand continues to target businesses around the world. While Russia’s Federal Security Service recently captured members of REvil ransomware gang — watching diplomatic efforts between presidents Joe Biden and Vladimir Putin — Trickbot’s inner circle has so far been relatively peaceful.
The Trickbot team evolved from the Dyre banking trojan around the end of 2015, when Dyre . members was arrested. The gang has developed its original banking trojan into a multi-purpose hacking toolkit; individual modules, which act like plugins, allow its operators to deploy the Ryuk and Conti ransomware, while others enable key logging and data collection. “I’m not aware of any other family of malware with multiple modules or functions,” said Vlad Pasca, senior malware analyst at security firm Lifars who decompiled Trickbot’s code. such expansion. That sophistication has helped the gang, also known as the Witch Spiders, collect millions of dollars from its victims.
According to documents reviewed by WIRED and the security experts who follow the group, a core team of about half a dozen criminals is at the heart of Trickbot’s operations. Each member has their own specialty, such as managing a team of developers or directing a ransomware deployment. The head of the organization is Stern. (Like all nicknames used in this story, the real world names or the names behind the handle are unknown. However, they are the identities the team uses when talking to together.)
“He’s the boss of Trickbot,” said Alex Holden, chief executive officer of cybersecurity firm Hold Security and with knowledge of the gang’s activities. Stern acts as the CEO of the Trickbot team and communicates with other members on the same level. Holden says they can also report it to others who don’t know yet. “Stern is not very involved with the technical side,” he said. “He wants to report. He wants to communicate more. He wants to make high-level decisions.”
