The Department of Justice has charged Alla Witte, a Latvian national also known as Max, who’s accused of being part of the Trickbot Group that deployed the notorious Trickbot malware. Witte allegedly helped develop the malware and wrote code related to its control and deployment, as well as code enabling ransomware payments. According to the DOJ, the ransomware-related code Max wrote would tell people that they need to purchase special software through a Bitcoin address controlled by the Trickbot Group to decrypt their files.
Authorities are also accusing her of writing code that monitored and tracked authorized users of the malware and of developing tools and protocols used to store stolen login credentials. Trickbot started out as a malware made to steal banking credentials and other logins. It evolved to become more and more sophisticated over the years, gaining the ability to bypass safeguards put in place by tech companies.
Eventually, at least a million computers infected with the malware became known as the Trickbot botnet and became a distribution platform for ransomware like Ryuk. At the height of the COVID-19 pandemic last year, US federal authorities warned that attackers had been using Trickbot to infect hospitals and healthcare providers with the Ryuk ransomware. Other victims of the malware include schools, public utilities and governments. In fact, both Microsoft and the DOD’s US Cyber Command group took steps to disrupt the botnet last year out of concern that bad actors would use the network of hijacked computers to meddle in the 2020 US Presidential elections.
While Max was originally from Latvia, the Trickbot Group operated out of Russia, Belarus, Ukraine and Suriname. The indictment (PDF) accuses Max and her accomplices of using Trickbot to steal money and confidential information from individuals, businesses and financial institutions in the US, UK, Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain and Russia. They allegedly started their operations in November 2015.
Witte was charged in 19 counts of a 47-count indictment, including conspiracy to commit computer fraud and aggravated identity theft, conspiracy to commit wire and bank fraud affecting a financial institution, bank fraud affecting a financial institution, aggravated identity theft and conspiracy to commit money laundering. Two of those carry a maximum sentence of 30 years in prison.
Deputy Attorney General Lisa O. Monaco said in a statement:
“Trickbot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware. The defendant is accused of working with others in the transnational criminal organization to develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom. These charges serve as a warning to would-be cybercriminals that the Department of Justice, through the Ransomware and Digital Extortion Task Force and alongside our partners, will use all the tools at our disposal to disrupt the cybercriminal ecosystem.”