Cops in Germany Claim They've ID'd the Mysterious Trickbot Ransomware Kingpin

Several cybersecurity researchers who person tracked Trickbot extensively show WIRED they were unaware of nan announcement. An anonymous relationship connected nan societal media level X precocious claimed that Kovalev utilized nan Stern grip and published alleged specifications astir him. WIRED messaged aggregate accounts that supposedly beryllium to Kovalev, according to nan X relationship and a database of hacked and leaked records compiled by District 4 Labs but received nary response.

Meanwhile, Kovalev’s sanction and look whitethorn already beryllium amazingly acquainted to those who person been pursuing caller Trickbot revelations. This is because Kovalev was jointly sanctioned by nan United States and United Kingdom successful early 2023 for his alleged engagement arsenic a elder personnel successful Trickbot. He was besides charged successful nan US astatine nan clip pinch hacking linked to slope fraud allegedly committed successful 2010. The US added him to its most wanted list. In each of this activity, though, nan US and UK linked Kovalev to nan online handles “ben” and “Bentley.” The 2023 sanctions did not mention a relationship to nan Stern handle. And, successful fact, Kovalev’s 2023 indictment was chiefly noteworthy because his usage of “Bentley” arsenic a grip was wished to beryllium “historic” and chopped from that of another cardinal Trickbot personnel who besides went by “Bentley.”

The Trickbot ransomware group first emerged astir 2016, aft its members moved from the Dyre malware that was disrupted by Russian authorities. Over nan people of its lifespan, nan Trickbot group—which utilized its namesake malware, alongside different ransomware variants specified arsenic Ryuk, IcedID, and Diavol—increasingly overlapped successful operations and unit pinch nan Conti gang. In early 2022, Conti published a connection backing Russia’s full-scale penetration of Ukraine, and a cybersecurity interrogator who had infiltrated nan groups leaked much than 60,000 messages from Trickbot and Conti members, revealing a immense trove of accusation astir their day-to-day operations and structure.

Stern acted for illustration a “CEO” of nan Trickbot and Conti groups and ran them for illustration a morganatic company, leaked chat messages analyzed by WIRED and security researchers show.

“Trickbot group nan mold for nan modern ‘as-a-service’ cybercriminal business exemplary that was adopted by countless groups that followed,” Recorded Future’s Leslie says. “While location were surely organized groups that preceded Trickbot, Stern oversaw a play of Russian cybercrime that was characterized by a precocious level of professionalization. This inclination continues today, is reproduced worldwide, and is visible successful astir progressive groups connected nan acheronian web.”

Stern’s eminence wrong Russian cybercrime has been wide documented. The cryptocurrency tracing patient Chainalysis does not publically sanction cybercriminal actors and declined to remark connected BKA’s identification, but nan institution emphasized that nan Stern persona unsocial is 1 of nan all-time astir profitable ransomware actors it tracks.

“The investigation revealed that stern generated important revenues from forbidden activities, successful peculiar successful relationship pinch ransomware,” nan BKA spokesperson tells WIRED.

Stern “surrounds himself pinch very method people, galore of which he claims to person sometimes decades of experience, and he’s consenting to delegate important tasks to these knowledgeable group whom he trusts,” says Keith Jarvis, a elder information interrogator astatine cybersecurity patient Sophos’ Counter Threat Unit. “I deliberation he’s ever astir apt lived successful that organizational role.”

Increasing grounds successful caller years has indicated that Stern has astatine slightest immoderate loose connections to Russia’s intelligence apparatus, including its main information agency, nan Federal Security Service (FSB). The Stern grip mentioned mounting up an agency for “government topics” successful July 2020, while researchers person seen other members of nan Trickbot group opportunity that Stern is apt nan “the nexus betwixt america and nan ranks/head of section type astatine FSB.”

Stern’s accordant beingness was a important contributor to Trickbot and Conti’s effectiveness—as was nan entity’s expertise to support beardown operational information and stay hidden.

As Sophos’ Jarvis put it, “I person nary thoughts connected nan attribution arsenic I’ve ne'er heard a compelling communicative astir Stern’s personality from anyone anterior to this announcement.”