When the phones and computer networks went down at Ridgeview Medical Center’s three hospitals on October 24, 2020, the medical group resorted to a Facebook post to alert its patients to the outage. One local volunteer-run fire department said ambulances were being diverted to other hospitals; officials reported that patients and staff were safe. The stay in the Minnesota medical facilities was not technically a problem; reports quickly linked the activity to one of Russia’s most notorious ransomware gangs.
Thousands of kilometers away, just two days later, members of cybercrime group Trickbot were privately gloating about how easy targets hospitals and healthcare providers were. “See how fast the hospitals and centers are responding,” Target, a key member of the Russia-linked malware gang, boasted in messages to one of his colleagues. The exchange is included in previously unreported documents seen by WIRED, which consist of hundreds of messages sent between Trickbot members and detail the inner workings of the notorious hacking group. “Answers from others, [take] days. And from the ridge immediately flew the answer,” writes Target.
As Target wrote, Trickbot members were in the midst of launching a massive wave of ransomware attacks against hospitals across the United States. Their goal: to force hospitals busy responding to the growing Covid-19 pandemic to quickly pay ransoms. The series of attacks prompted emergency warnings from federal agencies, including the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. “Fuck US clinics this week,” Target said as they instructed to begin targeting a list of 428 hospitals. “There will be panic.”
The documents, seen by WIRED, include messages between senior members of Trickbot, dating from the summer and fall of 2020, and reveal how the group planned to expand its hacking operations. They reveal aliases of key members and show the ruthless attitude of members of the criminal gang.
The messages were sent in the months before and shortly after the U.S. Cyber Command breached much of Trickbot’s infrastructure and temporarily shut down the group’s operations. Since then, the group has expanded its operations and developed malware, and continues to target businesses around the world. Although Russia’s Federal Security Service recently arrested members of the REvil ransomware gang — following diplomatic efforts between Presidents Joe Biden and Vladimir Putin — Trickbot’s inner circle has so far remained relatively unscathed.
The Trickbot group evolved from the Dyre banking trojan around the end of 2015, when Dyre members were arrested. The gang has evolved its original banking trojan to become a universal hacking toolkit; separate modules that work as plugins allow its operators to deploy Ryuk and Conti ransomware, while other features enable keylogging and data collection. “I don’t know of any other malware families that have so many modules or advanced functionality,” said Vlad Paska, senior malware analyst at security firm Lifars, who decompiled Trickbot’s code. This sophistication helped the gang, also known as Wizard Spider, collect millions of dollars from victims.
A core team of about half a dozen criminals is at the heart of Trickbot’s operations, according to documents reviewed by WIRED and security experts who track the group. Each member has their own specialties, such as managing teams of developers or leading ransomware deployments. The head of the organization is Stern. (Like all aliases used in this story, the real-world name or names behind the handles are unknown. However, they are the identities the group uses when talking to each other.)
“He’s the boss of Trickbot,” said Alex Holden, who is chief executive of cybersecurity firm Hold Security and has knowledge of the gang’s operations. Stern acts as the CEO of the Trickbot group and communicates with other members who are on a similar level. They can also report others who are unknown, Holden says. “Stern doesn’t get into the technical side as much,” he says. “He wants reports. He wants more communication. He wants to make decisions at a high level.
