Conti Ransomware Gang Incorporates TrickBot

For the past four years, the name TrickBot has been featured in numerous conversations and articles, including this publication. We have covered how the malware has survived several takedowns only to return improved and ready to pave the way for ransomware gangs to encrypt high-value targets networks. We have also covered how the Conti ransomware gang partnered with TrickBot developers to improve the ransomware’s distribution and successfully targeting victims with TrickBot achieving initial compromise only for Conti to be dropped on the network to perform the knock out punch.

According to new research published by AdvIntel suggests that TrickBot’s top members have moved under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.

conti ransomware gang incorporates trickbot

There are several reasons why TrickBot’s talented developers have been drawn into the Conti family, a brief look at TrickBot’s history presents a great CV to future employees. TrickBot was built to be modular in design which meant it could be quickly modified to improve existing features or add new ones without a lengthy development cycle.

As an example of this, in July 2020, TrickBot developers test piloted a mysterious module known as grabber.dll. The module version was meant for browser theft and affected Google Chrome, Internet Explorer, Mozilla Firefox, and Microsoft Edge as well as browser cookies.

At the peak of TrickBot’s capabilities, the malware was capable of maintaining persistence on victims’ machines by corrupting UEFI/BIOS settings. AdvIntel states,

“In October 2021, TrickBot even developed a function designed to inspect the UEFI/BIOS firmware of its targets, in order to survive any system re-imagining efforts during the recovery phase of a Ryuk (Conti) ransomware event, further allowing adversaries to semi-permanently brick an affected device. The installation framework of TrickBot’s notorious AchorDNS malware has also been used by some of the most notorious (specifically Russian and North Korean) threat actors to target healthcare, finance, telecoms, education, and critical infrastructure. “

This surely attracted the attention of ransomware developers as over the course of TrickBot’s history several ransomware gangs partnered with the malware’s operators, including Conti and Ryuk. In fact, AdvIntel notes,

“However, the most salient and worrisome prediction for TrickBot was its role as the most dangerous tool in ransomware’s future arsenal. The group’s elite division, called Overdose, managed the TrickBot campaigns that resulted in the creation of Conti and Ryuk ransomware. The group has made at least $200 million USD with one extreme case extorting ~$34 million USD from a single victim and has perpetrated a spate of attacks on numerous healthcare organizations, including Universal Health Services (UHS) via BazarBackdoor to Ryuk ransomware (the attack was estimated for an account for $67 Million USD in damages).”

Changing Ransomware Landscape

Since major law enforcement clampdowns that occurred throughout 2021 caused many ransomware-as-a-service (RaaS) gangs to retire. This opened the door for ransomware gangs that operated in tighter groups to take center stage, groups like Conti and EvilCorp rose to prominence due to their makeup and skills.

By relying on smaller groups of hackers that are trust and team-based and not affiliates catching members of these groups is proving to be difficult. Some contend that now Conti and EvilCorp are structured more along the lines of a criminal syndicate rather than ransomware operations.

Conti operators seeing how resilient the Emotet-TrickBot-Ryuk supply chain was surely wanted a piece of the pie. This resulted in the two groups partnering.

However, as many of TrickBot’s potential customer base was disappearing due to the crackdown on RaaS and Conti's rise it seemed like a logical decision for TrickBot operators to allow the malware to become more of a subsidiary to Conti, rather than the previous status of partners.

This change in the relationship can be seen in Conti’s use of the botnet towards the end of 2021. By this time Conti was the sole end-user of TrickBot’s botnet.

While TrickBot is still active it would seem that activity related to the malware has peaked. To further illustrate this point, AdvIntel notes that it has become increasingly easier for security vendors to detect and mitigate TrickBot infections based on indicators of compromise. This means that Conti is unlikely to use to TrickBot for further infections.

Rather, the use of BazaarBackdoor has increased. BazaarBackdoor is TrickBot group’s newer, stealthier replacement malware that is now being leveraged at high-value targets. BazarBackdoor was formerly a part of Trickbot’s toolkit arsenal but has now become its own fully autonomous tool.

AdvIntel researchers concluded that,

“In name, at least, this means that TrickBot’s four-year saga is now coming to a close—the liaison that has defined the cybercrime domain for years has been reborn into a newer, possibly even deadlier form…However, the people who have led TrickBot throughout its long run will not simply disappear. After being “acquired” by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always find a way to make use of the available talent.”

It is hard to disagree with this sentiment as the upgrade in skills and experience Conti has received by bringing in skillful hackers makes the threat posed by the group more worrying than before.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal