Ukrainian flag illustration

Why the Trickbot ransomware gang pivoted to targeting Ukraine

The Trickbot group made a surprising pivot to attacking Ukraine during the Russian invasion, running at least six campaigns between mid-April and mid-June, according to a new report from IBM’s Security X-Force. 

The shift follows the takeover of Trickbot, which IBM tracks as ITG23, by the Russia-supporting Conti gang months before.

“Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected,” IBM reported. 

“The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population.“ 

The report tracked six campaigns by Trickbot, four of which were previously disclosed by the Computer Emergency Response Team of Ukraine (CERT-UA). 

The campaigns deployed several new tools and tactics, including: 

A malicious Excel file used to download the payloads.

A self-extracting archive (SFX) designed to drop and build ITG23 payloads such as AnchorMail, CobaltStrike, and IcedID.

A new ITG23 malware crypter X-Force has dubbed “Forest.”

A takeover, then leaks

Trickbot’s malware operation was once considered a notorious force in the ransomware ecosystem. But by late 2021 Trickbot’s infrastructure went dormant and it appeared to shutter in February of this year — in part because by then their attacks were easily detectable to security products, researchers told The Record.

Later that month, the operation was taken over and resurrected by the Conti ransomware gang, Bleeping Computer reported — just as ransomware groups, many of which are based in Eastern Europe, began taking sides in Russia’s invasion of Ukraine. 

This was a major shift for the local ecosystem. 

“Russian-speaking criminal underground communities have long generally discouraged if not outright banned going after former Soviet countries,” IBM noted.

Conti came out with an aggressive pro-Russian stance — which helps explain Trickbot’s pivot, despite a U.S. Department of Justice indictment from last year noting that their operations worked across Ukraine, Belarus, and Russia. 

The Conti announcement also pushed a Ukrainian security researcher to start leaking internal communications that shed light on the cybercriminal group’s operations. 

The latest IBM report suggests those leaks didn’t stop the group from joining the digital fray on Russia’s behalf.  

However, the group did start to roll down operations in May — with the last of their leak and negotiation sites shuttering in late June, Bleeping Computer reported. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.