The U.S. Department of Justice announced on Friday the arraignment of a Latvian for her alleged role in creating and operating the infamous TrickBot malware.
Alla Witte, who is known in cybercrime circles by the handle “Max,” was arrested in February in Miami. According to the indictment, she’s one of TrickBot’s main coders, responsible for developing ransomware-related functionality, including control, deployment and payments.
TrickBot is a well-known and sophisticated trojan first developed in 2016 to steal online banking credentials – but it has a history of transforming itself and adding new features. Moving far beyond its banking roots, it has developed over the years into a full-fledged, module-based crimeware solution offered in a malware-as-a-service model, typically aimed at attacking corporations and public infrastructure.
Devices infected with TrickBot will become part of a botnet that can allow attackers to gain complete control of the device. Typical consequences of TrickBot infections are bank account takeover, high-value wire fraud and ransomware attacks. It’s often seen working in concert with other trojans too.
“TrickBot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware,” said Deputy Attorney General Lisa Monaco, in a Department of Justice (DoJ) announcement. “The defendant is accused of working with others in the transnational criminal organization to develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom.”
Max Faces 30+ Years in Prison
Witte was charged in federal court on 19 counts of a 47-count indictment. In addition to the ransomware participation, the DoJ said that Witte allegedly provided code that monitored and tracked authorized MaaS users of TrickBot, and developed tools and protocols to store stolen login credentials.
She’s also charged with harvesting personal information, including credit-card numbers, emails, passwords, dates of birth, Social Security numbers and addresses in consort with other gang members; gaining illegal access to online bank accounts; executing unauthorized electronic funds transfers; and money laundering.
She has allegedly been an active member of the TrickBot gang since November 2015, according to the indictment.
“The TrickBot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said Acting U.S. Attorney Bridget Brennan of the Northern District of Ohio. “Federal law enforcement, along with assistance provided by international partners, continue to fight and disrupt ransomware and malware where feasible. We are united in our efforts to hold transnational hackers accountable for their actions.”
The charges include counts of computer fraud, aggravated identity theft; wire and bank fraud, and money laundering. If convicted, she could face decades in prison. Maximum penalties for the crimes are as follows:
- Five years conspiracy to commit computer fraud and aggravated identity theft;
- 30 years for conspiracy to commit wire and bank fraud;
- 30 years for each substantive bank fraud count;
- A two-year mandatory sentence for each aggravated identity theft count, which must be served consecutively to any other sentence;
- And 20 years for conspiracy to commit money laundering.
Last October, ESET, Lumen’s Black Lotus Labs, Microsoft, NTT Ltd., Symantec and others combined to take down swathes of the TrickBot infrastructure. However, by January infections were on the rise again.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!