On Thursday 24th of February 2022, the TrickBot malware operation is believed to have shut down after it was reported that their core developers have move to the Conti ransomware gang to focus development on the other malware families which Conti has in their operations. TrickBot has been a key Windows malware which has been part of the threat landscape since 2016. The malware is commonly installed via malicious phishing emails or other malware like trojan and has been observed running quietly on a victim’s computer while it downloads modules to perform different tasks.
Trickbot has had a long connection to ransomware groups as it has been linked to many groups. The first observed relationship was with the Ryuk ransomware operation in 2019 who used the malware to gain initial access to networks. And they were later seen partnering with the Conti ransomware group in 2020. Although in 2021, it was observed that they attempted to lunach their own ransomware operation known as Diavol but due to law enforcement efforts including the arrest of one of their key developers, the operation never launched off the ground.
Based on research done by cyber security organisations, it is believed the development of the TrickBot malware has been taken over the Conti ransomware group for their own needs while the developers have been moved onto the development of more stealthy malware families like BazarBackdoor.