A former Trickbot developer was sentenced to five years and four months for his role in infecting US hospitals and businesses with ransomware and other malware, costing victims tens of millions of dollars in losses .
Vladimir Dunaev, from Russia’s Amur Oblast, was sentenced yesterday in the United States after To plead guilty on November 30, on two counts: conspiracy to commit computer fraud and conspiracy to commit wire fraud.
Between June 2016 and June 2021, Dunaev worked as a developer for the criminal gang, providing “specialized services and technical capabilities,” according to his plea agreement (PDF).
These special skills included recruiting other coders, purchasing and managing servers used to deploy and operate Windows’ nasty Trickbot, encrypting the malware to avoid detection by security software, spamming and phishing potential victims and then laundering the stolen funds. It also added the ability to steal information from victims’ browsers, such as their online account credentials.
“For example, Dunaev developed browser modifications for several widely used open source browsers, such as FireFox and Chrome, using open source code bases for each browser called FireFox Nightly and Chromium,” court documents state. “These changes made it easier and better for remote access gained by Trickbot by allowing actors to steal passwords, credentials, and other stored information.”
Dunaev also admitted to writing code used to steal secrets from infected computers. Between October 2018 and February 2021 alone, the crew defrauded victims of more than $3.4 million, according to court documents.
According to the UK’s National Crime Agency, the gang extorted at least $180 million (£145 million) from people and organizations around the world.
In 2021, Dunaev was extradited in America from South Korea. The original indictment charged Dunaev and six others for their alleged roles in developing, deploying, managing, and profiting from Trickbot.
In June, one of the six suspects — Trickbot malware administrator Alla Witte — pleaded guilty to conspiracy to commit computer fraud and was sentenced to two years and eight months in prison.
Trickbot, which started as a banking Trojan and added features over the years, has also been used as an initial intrusion vector for ransomware variants and even helped Emotet come back from the dead after this botnet was dismantled by law enforcement.
Trickbot shut down in 2022, but by then many of its malware developers have moved on to others criminal operations.
At the start of 2023, the United States and the United Kingdom sanctioned seven Russians for their alleged roles in the spread of Conti and Ryuk ransomware as well as the Trickbot banking Trojan. Later that year, the two governments I added 11 more Alleged Trickbot gang members to the list. ®