Alla Witte, the arraigned cyber criminal, was arrested in Miami, Florida in February this year, shortly after law enforcement authorities in Europe and North America successfully dismantled the infrastructure of Emotet, one of the world’s most popular and widely-used malware botnets since 2014.
According to the U.S. Department of Justice, the TrickBot Group operated in Russia, Belarus, Ukraine, and Suriname, and targeted organisations in sectors such as healthcare, education, government, and public utilities with malware and ransomware attacks.
“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said Acting U.S. Attorney Bridget M. Brennan of the Northern District of Ohio.
Eric B. Smith, Special Agent in Charge at the FBI’s Cleveland Field Office, said that Alla Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems. TrickBot Group’s victims were located in the U.S., United Kingdom, Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, and Russia.
Witte, along with her co-conspirators, designed the TrickBot malware to make it capable of stealing banking login credentials, credit card numbers, and personal information such as emails, passwords, dates of birth, social security numbers and addresses. Using the malware to great effect, the hackers gained access to online bank accounts, executed unauthorised electronic funds transfers, and laundered the money through U.S. and foreign beneficiary accounts.
“Witte worked as a malware developer for the Trickbot Group and wrote code related to the control, deployment, and payments of ransomware. The ransomware informed victims that their computer was encrypted, and that they would need to purchase special software through a Bitcoin address controlled by the Trickbot Group to decrypt their files,” the indictment read.
“Witte allegedly provided code to the Trickbot Group that monitored and tracked authorized users of the malware and developed tools and protocols to store stolen login credentials.”
If found guilty on all counts, Witte would certainly spend the rest of her life in prison. According to DoJ, she faces a maximum penalty of five years in prison for conspiracy to commit computer fraud and aggravated identity theft, 30 years in prison for conspiracy to commit wire and bank fraud, 30 years in prison for each substantive bank fraud count, 20 years in prison for conspiracy to commit money laundering, and a two-year mandatory sentence for each aggravated identity theft count.
“Cyber intrusions and malware infections take significant time, expertise, and investigative effort, but the FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are,” Smith added.
In October last year, Microsoft announced that by working with a number of partners in the cybersecurity and technology sectors, it had succeeded in dismantling almost the entire infrastructure of the TrickBot Group, taking down 120 of the 128 servers that were identified as Trickbot infrastructure around the world. Organisations participating in the operation included the Microsoft Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom.
“During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation.
“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers,” Microsoft said.
“We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action. We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline.”