When the phones and computer networks went down at Ridgeview Medical Center’s three hospitals on October 24, 2020, the medical group resorted to a Facebook post to warn its patients about the disruption. One local volunteer-run fire department said ambulances were being diverted to other hospitals; officials reported patients and staff were safe. The downtime at the Minnesota medical facilities was no technical glitch; reports quickly linked the activity to one of Russia’s most notorious ransomware gangs.
Thousands of miles away, just two days later members of the Trickbot cybercrime group privately gloated over what easy targets hospitals and health care providers make. “You see, how fast, hospitals and centers reply,” Target, a key member of the Russia-linked malware gang, boasted in messages to one of their colleagues. The exchange is included in previously unreported documents, seen by WIRED, that consist of hundreds of messages sent between Trickbot members and detail the inner workings of the notorious hacking group. “Answers from the rest, [take] days. And from the ridge immediately the answer flew in,” Target wrote.
As Target typed, members of Trickbot were in the middle of launching a huge wave of ransomware attacks against hospitals across the United States. Their aim: to force hospitals busy responding to the surging Covid-19 pandemic to quickly pay ransoms. The series of attacks prompted urgent warnings from federal agencies, including the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. “Fuck clinics in the usa this week,” Target said as they gave the instruction to start targeting a list of 428 hospitals. “There’s gonna be a panic.”
The documents seen by WIRED include messages between senior members of Trickbot, dated from the summer and autumn of 2020, and expose how the group planned to expand its hacking operations. They lay bare key members’ aliases and show the ruthless attitude of members of the criminal gang.
The messages were sent in the months before and shortly after US Cyber Command disrupted much of Trickbot’s infrastructure and temporarily stopped the group’s work. Since then the group has scaled up its operations and evolved its malware, and it continues to target businesses around the world. While Russia’s Federal Security Service has recently arrested members of the REvil ransomware gang—following diplomatic efforts between presidents Joe Biden and Vladimir Putin—Trickbot’s inner circle has so far been left relatively unscathed.
The Trickbot group evolved from the banking trojan Dyre around the end of 2015, when Dyre’s members were arrested. The gang has grown its original banking trojan to become an all-purpose hacking toolkit; individual modules, which operate like plugins, allow its operators to deploy Ryuk and Conti ransomware, while other functions enable keylogging and data collection. “I don’t know any other malware families that have so many modules or extended functionalities,” says Vlad Pasca, a senior malware analyst at security company Lifars who has decompiled Trickbot’s code. That sophistication has helped the gang, also known as Wizard Spider, collect millions of dollars from victims.
A core team of around half a dozen criminals sits at the heart of Trickbot’s operations, according to the documents reviewed by WIRED and security experts who track the group. Each member has their own specialities, such as managing teams of coders or heading up ransomware deployments. At the head of the organization is Stern. (Like all the monikers used in this story, the real-world name, or names, behind the handles are unknown. They are, however, the identities the group uses when talking to each other.)
“He is the boss of Trickbot,” says Alex Holden, who is CEO of cybersecurity firm Hold Security and has knowledge of the workings of the gang. Stern acts like a CEO of the Trickbot group and communicates with other members who are at a similar level. They may also report to others who are unknown, Holden says. “Stern does not get into the technical side as much,” he says. “He wants reports. He wants more communication. He wants to make high-level decisions.”