Vladimir Dunaev, a 40-year-old Russian citizen, has been handed a five-year and four-month prison sentence for his pivotal role in fabricating and disseminating the TrickBot malware, as declared by the U.S. Department of Justice (DoJ).
This development transpired almost two months subsequent to Dunaev’s admission of guilt regarding computer fraud, identity theft, and conspiracy to perpetrate wire fraud and bank fraud.
The DoJ elucidated, “Hospitals, schools, and businesses were amidst the myriad victims of TrickBot, grappling with losses amounting to tens of millions of dollars. While in operation, the TrickBot malware, serving as the primary intrusion vector into victim computer systems, was wielded to bolster diverse ransomware iterations.”
Commencing as a banking trojan in 2016, TrickBot metamorphosed into a versatile tool capable of delivering supplementary payloads, notably ransomware. Following concerted efforts to dismantle the botnet, it became assimilated into the Conti ransomware operation in 2022.
The cybercrime faction’s allegiance to Russia during the Russo-Ukrainian conflict resulted in a sequence of leaks known as ContiLeaks and TrickLeaks. This led to its shutdown in mid-2022, culminating in its fragmentation into numerous other ransomware and data extortion factions.
Dunaev is reputed to have contributed specialized services and technical prowess to advance the TrickBot enterprise from June 2016 to June 2021, utilizing it to unleash ransomware on hospitals, schools, and businesses.
Precisely, the accused devised browser alterations and malicious tools facilitating the extraction of credentials and sensitive data from compromised systems, while also enabling remote access. Additionally, he authored programs to thwart the detection of the TrickBot malware by legitimate security software.
In a parallel case, Alla Witte, another TrickBot developer and a citizen of Latvia, received a sentence of two years and eight months in June 2023.
News of Dunaev’s sentencing surfaces just days after the governments of Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national associated with the REvil ransomware gang, for orchestrating the 2022 assault on health insurance provider Medibank.
Cybersecurity entity Intel 471 revealed Ermakov’s online aliases, including blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.
Operating as JimJones, he was observed attempting to recruit unscrupulous penetration testers willing to provide login credentials for vulnerable organizations, all in exchange for $500 per access and a 5% share of the ransom proceeds.
“These identifiers are linked to a broad spectrum of cybercriminal endeavors, encompassing network intrusions, malware development, and ransomware onslaughts,” the company stated, shedding light on his extensive cybercrime dossier.
“Ermakov maintained a robust presence on cybercriminal forums, assuming roles as both a procurer and purveyor in the cybercrime-as-a-service landscape, functioning as a ransomware operator and affiliate. Indications suggest Ermakov’s involvement with a software development company specializing in both legitimate and illicit software development.”