Another member of the Trickbot malware crew now faces a lengthy prison sentence amid US law enforcement's ongoing search for its leading members.
Russian national Vladimir Dunaev, 40, faces a maximum sentence of 35 years in prison for his involvement in the now-shuttered Trickbot malware, which was often used to deploy ransomware.
Pleading guilty to the charges against him on Thursday, Dunaev was one of the developers behind Trickbot - malware that was used to attack various organizations including hospitals and schools.
The Department of Justice said that tens of millions of dollars in losses have been incurred by Trickbot victims since it was first launched in 2016.
"As set forth in the plea agreement, Vladimir Dunaev misused his special skills as a computer programmer to develop the Trickbot suite of malware," said Rebecca C Lutzko, US attorney for the Northern District of Ohio, in response to Dunaev's plea hearing.
"Dunaev and his codefendants hid behind their keyboards, first to create Trickbot, then using it to infect millions of computers worldwide - including those used by hospitals, schools, and businesses - invading privacy and causing untold disruption and financial damage."
Dunaev was extradited to the US from the Republic of Korea in 2021 and joins a growing list of Trickbot members firmly in the crosshairs of US prosecutors.
Earlier that year, fellow Trickbot developer Alla Witte, 55, was snared by the DoJ and faced a 47-count indictment, potentially leading to a lifetime sentence.
Witte was sentenced in June 2023 and ultimately received just two years and eight months in prison.
In September this year, the US and UK jointly issued financial sanctions on 11 other members of Trickbot, all believed to hold roles in the development or administration of the malware.
These were the second round of sanctions against members of the group, with the first coming earlier in February.
Seven individuals were named in what was the UK's first-ever cybercrime-related round of sanctions.
The UK's National Crime Agency said the group had extorted at least $180 million from victims globally, at least $34 million of which came from 149 victims in the UK. Trickbot started life as a banking trojan and is widely believed to be the successor to the Dyre malware, another banking trojan first spotted two years earlier in 2014.
The code similarities between the two led researchers to believe the same team behind Dyre may have also helped bring Trickbot to life, though US prosecutors have made no such links.
From its birth in 2016, Trickbot was under consistent active development with new features regularly being added to the kit, including wormabilty in 2017 - a feature that researchers at Malwarebytes believe was inspired by WannaCry and EternalPetya.
Over the years it's helped deploy ransomware variants such as Ryuk and was a long-time partner of Emtotet, even playing a role in its 2021 rebirth just six months after an internationally coordinated law enforcement effort brought it down.
Many of its members were thought to have already shifted to the hugely successful Conti ransomware gang.
The Russia-linked group behind Trickbot, Conti, and Ryuk is Wizard Spider, which has also attracted heavy attention from the US, including multimillion-dollar bounties for information about its members.
According to the list of sanctioned individuals tied to Trickbot, it even has normal-sounding job titles such as human resources officers.
Should the links to Russia be true, it's unlikely the sanctioned individuals will ever be extradited and face their charges, unless they enter a country with an extradition agreement with the US. .
This Cyber News was published on go.theregister.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000