The US Department of Justice (DOJ) announced today that a citizen of Latvia was indicted for her alleged role as a malware developer in the transnational cybercrime organization Trickbot.
Alla Witte (also known as Max) was charged with 19 counts of Formal indictment of 47 counts after being arrested on February 6 in Miami, Florida.
As a developer of Trickbot malware, Witte wrote the code used by the malware to monitor, implement and manage ransomware payments, the DOJ said in a Press release published today.
Witte also allegedly provided the Trickbot Group with the code necessary to monitor and track authorized malware users and developed the necessary tools and protocols to store the stolen login credentials of the victims’ networks.
The case was investigated by the FBI’s Cleveland Office and the DOJ’s Ransomware and Digital Extortion Task Force, created to combat the growing number of ransomware and digital extortion attacks.
“Witte and his associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information and ultimately divert millions of dollars through compromised computer systems,” said FBI Special Agent Eric B. Smith.
Tango down: “Alla Witte” also known as “Alla Klimova” – one known #TrickBot Developer and Operator Arrested!
– Vitali Kremez (@VK_Intel) June 4, 2021
Trickbot is a variety of malware first detected in October 2016 as a modular banking Trojan that has been continuously updated with new modules and features since then.
Although initially used only to collect sensitive data, Trickbot has slowly evolved into a highly dangerous malware dropper used to deliver additional, usually much more dangerous, malware payloads to infected devices.
This happens regularly after all sensitive information (system information, credentials, and any interesting files) has been collected and exfiltrated to the attacker-controlled servers.
On October 12, Microsoft and several partners announced that they removed some Trickbot C2s. The US Cyber Command also attempted to cripple the botnet before the presidential election by sending a configuration file to infected devices to disconnect them from the botnet’s C2 servers.
However, despite these coordinated attacks against TrickBot’s infrastructure, the TrickBot gang’s botnet is still active and the group is still releasing new builds of malware.
The TrickBot gang is known for distributing Ryuk and Conti ransomware on the compromised network of valuable corporate targets.
“Trickbot infected millions of victim computers around the world and was used to collect bank credentials and deliver ransomware,” Deputy Attorney General Lisa O. Monaco said today.
“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing great financial damage and inflicting significant damage to critical infrastructure within the United States and abroad,” said the Acting US Attorney Bridget M. Brennan of the Northern District of Ohio was added.