How cybercriminal groups are hiring employees

In early June, the US Department of Justice announced the arrest of a 55-year-old Latvian woman accused of being a computer programmer. Trickbot – malware-as-a-service platforms for infecting millions of computers and installing ransomware on many of these systems.

How did a freelance website designer and mother of two come to work for one of the most predatory cybercriminal groups, and why did she leave such an obvious trail to prove her involvement on the team? In this post, we’ll answer these questions, as well as how Trickbot and other organized cybercriminal groups recruit, train, and ensure new programmers are loyal.


Alla Witte’s personal website allawitte[.]nl, circa October 2018.

Verdict published by the Department of Justice (PDF), heavily edited, it lists only one of the respondents: Alla “Max” Witte – 55-year-old citizen of Latvia, arrested on February 6 this year in Miami, Florida.

The ministry says Witte is responsible for “leading the creation of code related to monitoring and tracking authorized Trickbot users, managing and installing ransomware, receiving payments from ransomware victims, and developing tools and protocols for storing identities stolen from Trickbot-infected victims.” …

The verdict also states that Witter created a web panel code for the Trickbot Group to access victim data stored in a database. The database contained a large number of credit card numbers and credentials stolen from the Trickbot botnet, as well as information about infected machines that were being used as bots, according to a government statement.

“Witte created the code for this repository, which shows in different colors the state of an infected computer (” bot “) and allows other members of the Trickbot Group to know when their accomplices are working with a particular infected machine,” the verdict says.

It seems that the verdict and arrest of Witte were inevitable: it is difficult to imagine an accused cybercriminal who would have made as startling mistakes as a newcomer than this Latvian citizen.

First, it looks like in 2020 Witter hosted by Trickbot on a website registered in her nameallawitte[.]nl

Despite the fact that cybercriminals should not mix personal life with work, Witte’s social networks mention her close family member (possibly a son or husband) with the name Max (Max); presumably this name was her hacker nickname.

Unlike many of the accused cybercriminals from Russia or the former Soviet republics, Witte did not believe she should avoid traveling to countries where she could be detained by US law enforcement. According to her verdict, Witte lived in the South American country of Suriname and was arrested in Miami after arriving from Suriname. It is not clear from the verdict what her end point was.


A Google-translated post that Witte posted on her VKontakte page five years prior to her alleged joining the Trickbot group.

Alex Holden, founder of cybersecurity firm Hold Security, said that Witte’s biggest mistake was around Christmas 2019, when she infected one of Trickbot’s own computers, allowing him to steal and capture her data on the botnet’s interface.

“She has reused the same passwords many times, and the data shows detailed information about her professional and personal use of the Internet,” Holden wrote in a post. dedicated to the arrest of Witte

“Many of the band members knew not only her gender, but also her name,” Holden wrote. “Many of them had data folders called AllaWitte. They communicated with Alla almost the same way as with their mothers. “

How did this hacker with children and a complete lack of self-preservation manage to get a job in one of the most dangerous cybercriminal groups in the world?

Several pages of the government’s verdict are devoted to the recruitment process for the Trickbot group, which constantly scoured Russian and Belarusian paid job websites looking for resumes of job-seeking programmers. Those who responded to the group’s proposal were asked to write various programs to test their ability to solve problems and coding skills.

Below is an excerpt from the translated messenger correspondence between two unnamed accused from the Trickbot group. In it, they discuss a candidate who immediately realized that he was being hired to participate in cybercrime activities.


Correspondence between two members of the Trickbot group discussing a potential new employee. Source: US Department of Justice.

The correspondence below, circa June 1, 2016, discusses a potential new Trickbot employee who successfully completed the task of modifying the Firefox browser.

Other snippets of correspondence from the verdict make it clear that most of the hired understood that the projects and tests they were given were related to cybercriminal activity.

“The majority understood that this was a blackhat and asked for commercial targets to attack,” wrote the defendant identified as Co-Conspirator 8 (CC8).

But what about new hires who didn’t quite understand how the programs they are asked to write would be used? Another source from the threat research industry, who had a Trickbot internally, provided additional information on how the group handled developer onboarding.

“There is a two-step process in which you may not at first understand who you are working for. But this period of time is usually rather short, less than a year, ”- said the source.

After completing this stage, if the candidate is talented and diligent, one of the members of the Trickbot group introduced the newcomer to the course, that is, clearly explained how the result of his work is used.

“If you do a good job, then at some point you are brought up to date, but if you do not cope or you are not satisfied with it, then they make a decision quickly enough, and your services are no longer required. But if you have lasted for more than a year, then the chances that you still do not understand what you are doing are extremely small, ”says the source.

According to a Justice Department statement, Witte had access to Trickbot for about two years, from 2018 to 2020.

Investigators report that prior to the launch of Trickbot, some members of the group were distributing Dyre – a particularly secretive program to steal passwords used in various banks. The government agency reports that Trickbot members, including Witte, often used bank account passwords stolen with their malware to siphon money from victims’ accounts and send them to networks of “drops”

Trickbot’s hiring model allows the group to cheaply and covertly recruit a steady stream of talented developers. But because of this, there is a very real threat that new employees will allow investigators to get inside the group and possibly even identify the identity of the accomplices.

Almost all ransomware attacks today are carried out by partner ransomware groups that constantly hiring new membersto cope with staff churn, competition with other ransomware groups, and the arrest of some contributors.

As part of the ransomware partner program, a cybercriminal can receive up to 85% of the ransom paid by the victim company he compromised. From time to time, the low level of security of partner operations jeopardizes the work of the entire group.

June 7 US Department of Justice announced that it was able to recover $ 2.3 million worth of bitcoins paid out last month to the Colonial Pipeline ransomware ransomware… Funds have been sent DarkSide – the ransomware-as-a-service syndicate, which was disbanded on May 14, sending a farewell letter to its partners. It reported that his Internet servers and cryptocurrency storage were confiscated by unknown law enforcement agencies.

“Receipts of ransom payments from victims were transferred to a specific address, to which the FBI had a ‘private key’ – something like a password needed to access resources available through a Bitcoin address,” the Justice Department says rather mysteriously.

Many security professionals quickly figured out how investigators were able to recover funds that were not the full amount that Colonial paid (about $ 4.4 million): the amount returned is approximately equal to the share that the DarkSide partner would have received for the malware infection of computers that preceded ransomware attack.


Advertising

Our company offers virtual server rental with Windows or Linux. We do not save on hardware – only modern equipment and some of the best data centers in Russia and the EU. Hurry up to check!

Subscribe to our chat in Telegram

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *