Despite the arrests and wider ransomware crackdowns in Russia, the Trickbot group has not exactly gone into hiding. Toward the end of last year, the group boosted its operations, says Limor Kessem, an executive security advisor at IBM Security. “They’re trying to infect as many people as possible by contracting out the infection,” she says. Since the start of 2022, the IBM security team has seen Trickbot increase its efforts to evade security protections and conceal its activity. The FBI also formally linked the use of the Diavol ransomware to Trickbot at the beginning of the year. “Trickbot doesn’t seem to be targeting very specifically; I think what they have is numerous affiliates working with them, and whoever brings the most money is welcome to stay,” Limor says.
Holden too says he has seen evidence that Trickbot is ramping up its operations. “Last year they invested more than $20 million into their infrastructure and growth of their organization,” he explains, citing internal messages he has seen. This money, he says, is being spent on everything Trickbot does. “Staffing, technology, communications, development, extortion” are all getting extra investment, he says. The move points to a future where—after the takedown of REvil—the Trickbot group may become the primary Russia-linked cybercrime gang. “You expand in the hope of getting that money back in spades,” Holden says. “It’s not like they are planning to close the shop. It’s not like they are planning to downsize or run and hide.”