← Home·Gallery·Techniques
Threat Intelligence Tarot
pentacles · 8
Criminal (Russian-speaking - likely Saint Petersburg)
G0102
risk 5/5
The Second Stage
TrickBot / Ryuk
Wizard Spider · Gold Blackburn
BanksHealthcareLocal governmentHospitalsGlobal enterprise
Active since ~2016 · Banking credential theft, Ransomware payload delivery, Enterprise network reconnaissance
TrickBot arrives first - the email, the attachment, the banking trojan. It learns the network, spreads, and steals credentials. Then it calls Ryuk. The Second Stage is what happens when cybercrime industrializes: one group for initial access, one for reconnaissance, one for the ransom. Division of labor at scale.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1486
Data Encrypted for Impact
Impact
T1021.002
SMB/Windows Admin Shares
Lateral Movement
T1003.001
LSASS Memory
Credential Access
T1134
Access Token Manipulation
Privilege Escalation
T1548.002
Bypass User Account Control
Privilege Escalation
Notable Operations
  • TrickBot banking trojan - 250M+ machines infected globally
  • Ryuk ransomware delivery via TrickBot - $150M+ in ransoms
  • US hospital attacks during COVID-19 pandemic (2020)
  • UHS hospital chain attack affecting 400 US locations
Defenses
  • Email sandbox and attachment detonation before delivery
    CIS Control 9
  • Network segmentation to limit TrickBot lateral movement
    CIS Control 12
  • Healthcare system offline backup and manual procedure planning
    HHS 405(d) guidance
  • LSASS memory protection and Credential Guard
    CIS Control 5
Reversed: Their Weakness
Despite being one of the largest botnets ever constructed, TrickBot was significantly disrupted by a Microsoft-led legal and technical operation in October 2020 - executed days before the US election to prevent election system compromise. The disruption demonstrated private sector-led offensive cyber operations as a viable defensive tool.

Share this adversary profile

swipe to browse

← PreviousThe BankerNext →The Delivery Service
Related Adversaries
The Plague
Conti
6 shared TTPs
The Broker
TA505
4 shared TTPs
The Banker
Carbanak
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.