Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Conti Ransomware ‘Acquires’ TrickBot as It Thrives Amid Crackdowns

Experts at threat intelligence and ransomware disruption company AdvIntel believe the notorious TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.

Experts at threat intelligence and ransomware disruption company AdvIntel believe the notorious TrickBot malware has reached its limits, but its development team appears to have been “acquired” by the Conti ransomware gang, which has been thriving amid recent crackdowns.

TrickBot has been around since 2016. It was initially a banking trojan designed to steal financial data, but it evolved into a modular stealer that could target a wide range of information.

TrickBot has survived a takedown attempt and the arrests of some developers. It also helped the Emotet malware get back in the game following a law enforcement action that disrupted its global operation in January 2021.

TrickBot developers have also collaborated with the creators of the Ryuk and Conti ransomware.

The Conti ransomware emerged in 2020 and cybercriminals have used it in attacks against many organizations worldwide. In these attacks, Conti operators not only encrypt files on compromised systems, but also steal data that they can threaten to leak if the victim refuses to pay a ransom. The cybercriminals are believed to have made hundreds of millions of dollars.

More than a dozen victims are listed on Conti’s Tor-based leak website at the time of writing, including British snacks company KP Snacks. The hackers have leaked hundreds of megabytes of data allegedly stolen from the firm.

The Conti group appears to have prospered and AdvIntel says they have reached “crime syndicate” status during a time when law enforcement organizations worldwide — including in Russia — have increasingly cracked down on cybercrime.

“Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti, possibly even for its survival,” AdvIntel said. “The Emotet-TrickBot-Ryuk supply chain was extremely resilient. And with a stable and high-quality supply of accesses coming from a single organized source, Conti was able to maintain its image without any major structural changes. When the rest of the ransomware gangs were massively hiring random affiliates and delegating them to breach corporate networks, Conti was working in a trust-based, team-based manner.”

“And when said random affiliates began to randomly hack Western infrastructure and randomly blackmail Western leaders, calling the wrath of the Russian security apparatus on their heads, Conti merely kept a clear code of conduct and continued operations as normal,” it added.

According to the company, Conti at one point became “the sole end-user of TrickBot’s botnet product,” which ultimately led to TrickBot being essentially acquired by the Conti group by the end of 2021.

TrickBot is still operational, but the vast amount of indicators of compromise (IoCs) associated with the malware have made it easy to detect and it’s no longer used by Conti, AdvIntel said. While the TrickBot malware has reached its limits, its “elite developers and managers” are very useful to the Conti operation.

The TrickBot group has been working on BazarBackdoor, a stealthier malware that is currently used in attacks aimed at high-value targets.

“[The] people who have led TrickBot throughout its long run will not simply disappear,” AdvIntel said. “After being ‘acquired’ by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always find a way to make use of the available talent.”

Related: Researchers Hack Conti Ransomware Infrastructure

Related: U.S. Issues Conti Alert as Second Farming Cooperative Hit by Ransomware

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.