TrickBot Coder Arraigned

A Latvian coder for the infamous TrickBot malware was arraigned for her role in developing the malware. Alla Witte was charged with 19 counts of various crimes such as fraud, identity theft, data theft, and money laundering.

Alla’s alias is “Max” and she was arrested in Miami in February as the arraignment is just now becoming active. TrickBot is one of the most intrusive forms of malware and Max was one of the primary coders in creating the ransomware functionalities, control, deployment, and payments.

Developed in 2016, the TrickBot operators made it to steal banking credentials. Although, over the years, they’ve adapted and reconstructed in order to become more successful during attacks. If networks or devices are infected by the TrickBot malware, operators can take full control over them.

The Deputy Attorney General, Lisa Monaco, explained the malware in a Department of Justice announcement, “TrickBot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware… The Defendant is accused of working with others in the transnational criminal organization to develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom.

Late last year, TrickBot was the primary target of a takedown attempt by Microsoft and other law enforcement, but as most in the cyber industry know, they aren’t gone for long when this situation occurs. When another major botnet player, Emotet, was dismantled in January of this year, TrickBot infections surged as a placeholder.

The arrest of this individual will have short term benefits but in the long run, TrickBot will remain a constant in the threat landscape barring a massive depletion of their infrastructure.

The main takeaway from this developing situation is that groups like TrickBot are relentless because of their international access to other cybercriminals. One goes down and another fills the gap. For businesses, taking the same approach with the holes in your security infrastructure is what will create a successful defense against constant threats. SpearTip’s certified engineers work around the clock to protect from these threats. Our ShadowSpear® platform will spot TrickBot before it can infect your machines as our team is alerted to deal with the threats simultaneously. The combination of a reliable endpoint detection and response tool and a 24/7 Security Operations Center is what truly provides value.

It’s no question that threat actors are sophisticated and creative when it comes to coercing and receiving ransom payments. This is why it’s so important to have someone who can understand and properly analyze malware on your side. As mentioned above, if you’re organization rushes a ransomware payment and it ends up going to an OFAC sanctioned group, heavy fines can be issued on top of already losing profit to cybercriminals. If you feel your organization is under a ransomware attack, call our Security Operation Center as we have highly technical engineers on call 24 hours a day.

We specialize in incident response handling, but obviously, being proactive is much better than being reactive. We offer our Security Operations Center as a Service (SOCaaS) because we understand how important it is for our partners to be able to communicate with a real cyber professional on issues within their environment at any moment in the day. Security tools are all over the market and many will provide a layer of protection, but our Security Operations Center as a Service in tandem with our endpoint detection and response tool, ShadowSpear®, is the future of what cybersecurity will look like. Get ahead of threats today.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.