TrickBot Developer Pleads Guilty in US CourtVladimir Dunaev Faces Up to 35 Years in Prison
A Russian national pleaded guilty in U.S. federal court for his role in developing TrickBot. Operators of the malware targeted hospitals and healthcare centers with ransomware attacks during the height of the novel coronavirus pandemic.
Vladimir Dunaev, 40, pleaded guilty in the U.S. District Court for the District of Northern Ohio on Thursday to one count of conspiracy to commit computer fraud and aggravated identity theft and one count of conspiracy to commit wire and bank fraud. His sentencing is set for Jan. 26, and he faces up to 35 years in prison.
South Korea extradited Dunaev in late 2021. Federal prosecutors said he had overseen the creation of the malware's browser injection, machine identification and data harvesting functions. Among the victims of TrickBot are three Minnesota medical facilities that were forced to turn away emergency patients as a result of the ransomware attacks. Prosecutors said that during Dunaev’s participation in the TrickBot operation, victims also included 10 organizations in northern Ohio, "including Avon schools and a North Canton real estate company," which "were defrauded of more than $3.4 million via ransomware deployed by TrickBot."
Dunaev was prosecuted alongside Alla Witte, a Latvian national arrested in 2021, as was Dunaev, and accused by prosecutors of working as a TrickBot developer on the control and deployment of ransomware, obtaining extortion payments and developing software tools to store stolen credentials. Witte pleaded guilty in June to conspiracy to commit computer fraud and was sentenced to two years and eight months in prison.
TrickBot was absorbed in 2021 by the now-defunct Conti ransomware-as-a-service group. Conti's operators spun off into multiple groups in May 2022, and some of those groups continue to use TrickBot-derived code.
British and American authorities have said the group cultivated ties to Russian intelligence and received tasking orders from the Kremlin.
Security researchers first identified TrickBot in 2016 and monitored its evolution from a variant of an earlier banking Trojan dubbed Dyre or Dyreza into a vector for Conti and Ryuk ransomware. The Washington Post reported in 2020 that U.S. Cyber Command had mounted an operation to disrupt the TrickBot botnet ahead of the American presidential election to head off potential ransomware attacks on state or local voter registration offices.
As with many types of malware, TrickBot's operators refined their code to add additional capabilities and meet changing criminal demands. Updates included making the malware serve as a dropper - a tool for downloading additional software onto an endpoint it had infected. It also gained web injection capabilities, allowing it to spoof legitimate banks and cryptocurrency exchanges.