{ "id": "9e7346bf-5b74-4afc-8907-e482710dcd50", "created_at": "2026-04-06T00:15:29.600889Z", "updated_at": "2026-04-10T03:21:26.115904Z", "deleted_at": null, "sha1_hash": "1e0df9db13b47d6dc79fd2ea979756e7560e6aba", "title": "Trickbot operation is now controlled by Conti ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 429640, "plain_text": "Trickbot operation is now controlled by Conti ransomware\r\nBy Pierluigi Paganini\r\nPublished: 2022-02-20 · Archived: 2026-04-02 11:32:54 UTC\r\n Pierluigi Paganini February 20, 2022\r\nThe Conti ransomware group takes over TrickBot malware operation and plans to\r\nreplace it with BazarBackdoor malware.\r\nTrickBot operation has arrived at the end of the journey, according to AdvIntel some of its top members move\r\nunder the Conti ransomware gang, which is planning to replace the popular banking Trojan with the stealthier\r\nBazarBackdoor.\r\nTrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have\r\ncontinuously upgraded it by implementing new features, including powerful password-stealing capabilities.\r\nTrickBot initially partnered with Ryuk ransomware that used it for initial access in the network compromised by\r\nthe botnet. Then Ryuk was replaced by Conti Ransomware gang who has been using Trickbot for the same\r\npurpose.\r\nhttps://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html\r\nPage 1 of 3\n\n“The group’s elite division, called Overdose, managed the TrickBot campaigns that resulted in the creation of\r\nConti and Ryuk ransomware.” states the analysis published by AdvInt. “The group has made at least $200 million\r\nUSD with one extreme case extorting ~$34 million USD from a single victim and has perpetrated a spate of\r\nattacks on numerous healthcare organizations, including Universal Health Services (UHS) via BazarBackdoor to\r\nRyuk ransomware (the attack was estimated for an account for $67 Million USD in damages).”\r\nIn 2021, the Conti gang used in exclusive the TrickBot to achieve initial accesses in the network of organizations\r\nworldwide.\r\nThe goal of the Conti gang is to aggregate highly skilled members of the ransomware ecosystem in a structure,\r\nwhich gives them a little autonomy, to monopolize the market.\r\nThe TrickBot’s core team of developers had already created a stealthier piece of malware dubbed BazarBackdoor,\r\nused to achieve remote access into corporate networks and use it to deploy the ransomware.\r\nWith the increasing popularity of TrickBot it became easy to detect it with antimalware solutions, for this reason\r\nthe gang began employing the BazarBackdoor for initial access to networks.\r\nBy the end of 2021, Conti gang employed core developers and managers of the TrickBot botnet.\r\n“At the same time, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had\r\nessentially acquired TrickBot, with multiple elite developers and managers joining the ransomware cosa nostra.”\r\nconcludes the post.\r\n“However, the people who have led TrickBot throughout its long run will not simply disappear. After being\r\n“acquired” by Conti, they are now rich in prospects with the secure ground beneath them, and Conti will always\r\nhttps://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html\r\nPage 2 of 3\n\nfind a way to make use of the available talent.”\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, Conti ransomware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html\r\nhttps://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html" ], "report_names": [ "conti-ransomware-takes-over-trickbot.html" ], "threat_actors": [], "ts_created_at": 1775434529, "ts_updated_at": 1775791286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e0df9db13b47d6dc79fd2ea979756e7560e6aba.pdf", "text": "https://archive.orkl.eu/1e0df9db13b47d6dc79fd2ea979756e7560e6aba.txt", "img": "https://archive.orkl.eu/1e0df9db13b47d6dc79fd2ea979756e7560e6aba.jpg" } }