Trickbot malware scumbag gets five years for infecting hospitals, businesses

A former Trickbot developer has been sent down for five years and four months for his role in infecting American hospitals and businesses with ransomware and other malware, costing victims tens of millions of dollars in losses.

Vladimir Dunaev, of Amur Oblast in Russia, was sentenced in the US yesterday after pleading guilty on November 30 to two counts: conspiracy to commit computer fraud, and conspiracy to commit wire fraud.

Between June 2016 and June 2021, Dunaev worked as a developer for the criminal gang, providing “specialized services and technical abilities,” according to his plea agreement [PDF].

These special skills included recruiting other coders, buying and managing servers used to deploy and operate the Windows nasty Trickbot, encrypting the malware to avoid detection by security software, spamming and phishing potential victims, and then laundering stolen funds. He also added support for stealing information out of victims’ browsers, such as their online account credentials.

“For instance, Dunaev developed browser modifications for several widely used open-source browsers, such as FireFox and Chrome, using open-source codebases for each browser called FireFox Nightly and Chromium,” the court documents say. “These modifications facilitated and enhanced the remote access obtained by Trickbot by allowing actors to steal passwords, credentials, and other stored information.”

Dunaev also confessed to writing code used to steal secrets from infected computers. Between October 2018 and February 2021 alone, the crew defrauded victims out of more than $3.4 million, the court documents claim.  

According to the UK National Crime Agency, the gang has extorted at least $180 million (£145 million) from people and organizations worldwide.

In 2021, Dunaev was extradited to America from South Korea. The original indictment charged Dunaev and six others for their alleged roles in developing, deploying, managing and profiting from Trickbot.

In June, one of the six suspects — Trickbot malware admin Alla Witte — pleaded guilty to conspiracy to commit computer fraud and was sentenced to two years and eight months in prison.

Trickbot, which started as a banking Trojan and added functionality over the years, was also used as an initial intrusion vector for ransomware variants and even helped Emotet come back from the dead after that botnet’s law-enforcement takedown.

Trickbot shut down in 2022, but by then many of its malware developers have moved on to other criminal operations.

In early 2023, the US and UK sanctioned seven Russians for their alleged roles in disseminating Conti and Ryuk ransomware along with the Trickbot banking trojan. Later that year, both governments added 11 more alleged Trickbot gang members to the list. ®

READ MORE HERE