Ransomware Groups Using TrickBot Malware to Exfiltrate US$724 Million in Cryptocurrency

The cybersecurity landscape continues to evolve as ransomware groups adopt increasingly sophisticated tactics to maximize their financial gains.

The TrickBot malware family has emerged as a central component in a massive cryptocurrency extortion scheme, with ransomware-as-a-service (RaaS) groups leveraging this versatile banking trojan to facilitate attacks worth over US$724 million in cryptocurrency.

TrickBot, originally designed as a banking trojan, has transformed into a multi-purpose tool utilized by various ransomware operators including Black Basta and FunkSec.

These groups have weaponized the malware’s extensive capabilities, using it not only for initial access but also as a platform for deploying secondary payloads and maintaining persistent access to compromised networks.

The malware’s modular architecture allows attackers to customize their approach based on specific targets and objectives.

The scale of the financial damage demonstrates the effectiveness of TrickBot as a delivery mechanism for ransomware operations.

Akamai analysts identified the malware’s presence across multiple customer environments, observing four distinct malicious scheduled tasks deployed across five separate customer assets.

These scheduled tasks serve as persistence mechanisms, ensuring the malware maintains its foothold within compromised systems even after system reboots or security interventions.

The current threat landscape shows ransomware groups continuously evolving their extortion tactics, with quadruple extortion representing the newest approach while double extortion remains the most prevalent method.

Groups are increasingly pressuring victims through compliance weaponization and expanding their profit-generation strategies beyond traditional file encryption.

TrickBot’s Persistence and Execution Mechanisms

The malware’s persistence strategy relies heavily on scheduled task creation, a technique that allows it to execute at predetermined intervals without user interaction.

These scheduled tasks are configured to launch TrickBot components during system startup or at specific time intervals, ensuring continuous operation. The malware typically creates tasks with names designed to appear legitimate, often mimicking system processes or common software update routines.

TrickBot’s execution flow involves multiple stages, beginning with initial reconnaissance to gather system information and network topology.

The malware then establishes communication channels with command-and-control servers, awaiting further instructions for payload deployment.

This multi-stage approach enables operators to customize their attacks based on the value and accessibility of compromised systems, ultimately leading to the deployment of ransomware payloads that facilitate the massive cryptocurrency extortion campaigns observed by security researchers.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches