# Trickbot operation is now controlled by Conti ransomware **[securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html](https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html)** February 20, 2022 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) February 20, 2022 ## The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware. [TrickBot operation has arrived at the end of the journey, according to AdvIntel some of its top](https://securityaffairs.co/wordpress/128087/malware/trickbot-targets-60-high-profile-companies.html) [members move under the Conti ransomware gang, which is planning to replace the popular](https://securityaffairs.co/wordpress/126988/cyber-crime/bank-indonesia-conti-ransomware.html) [banking Trojan with the stealthier BazarBackdoor.](https://securityaffairs.co/wordpress/126979/cyber-crime/fbi-links-diavol-ransomware-trickbot.html) [TrickBot is a popular Windows banking Trojan that has been around since October 2016, its](https://securityaffairs.co/wordpress/81264/malware/trickbot-malware-evolves.html) authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities. TrickBot initially partnered with Ryuk ransomware that used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who has been using Trickbot for the same purpose. _“The group’s elite division, called Overdose, managed the TrickBot campaigns that resulted_ _[in the creation of Conti and Ryuk ransomware.” states the analysis published by AdvInt. “The](https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works)_ _group has made at least $200 million USD with one extreme case extorting ~$34 million USD_ _from a single victim and has perpetrated a spate of attacks on numerous healthcare_ _[organizations, including Universal Health Services (UHS) via BazarBackdoor to Ryuk](https://www.hipaajournal.com/universal-health-services-ransomware-attack-cost-67-million-in-2020/)_ _[ransomware (the attack was estimated for an account for $67 Million USD in damages).”](https://www.healthcareitnews.com/news/universal-health-services-faces-67-million-loss-after-cyberattack#:~:text=The%20September%202020%20apparent%20ransomware,the%20health%20system's%20U.S.%20facilities.&text=Universal%20Health%20Services%20reported%20an,shutdown%20throughout%20its%20U.S.%20facilities)_ ----- In 2021, the Conti gang used in exclusive the TrickBot to achieve initial accesses in the network of organizations worldwide. The goal of the Conti gang is to aggregate highly skilled members of the ransomware ecosystem in a structure, which gives them a little autonomy, to monopolize the market. The TrickBot’s core team of developers had already created a stealthier piece of malware dubbed BazarBackdoor, used to achieve remote access into corporate networks and use it to deploy the ransomware. With the increasing popularity of TrickBot it became easy to detect it with antimalware solutions, for this reason the gang began employing the BazarBackdoor for initial access to networks. By the end of 2021, Conti gang employed core developers and managers of the TrickBot botnet. _“At the same time, Conti turned into the sole end-user of TrickBot’s botnet product. By the_ _end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and_ _managers joining the ransomware cosa nostra.” concludes the post._ _“However, the people who have led TrickBot throughout its long run will not simply disappear._ _After being “acquired” by Conti, they are now rich in prospects with the secure ground_ _beneath them, and Conti will always find a way to make use of the available talent.”_ ----- **[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)** **[(SecurityAffairs –](http://securityaffairs.co/wordpress/)** **hacking, Conti ransomware)** You might also like **[Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks](https://securityaffairs.co/wordpress/131762/apt/gamaredon-apt-ddos-attacks.html)** May 28, 2022 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) ----- **[The strange link between Industrial Spy and the Cuba ransomware operation](https://securityaffairs.co/wordpress/131754/cyber-crime/industrial-spy-cuba-ransomware.html)** May 28, 2022 By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip) Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top [Home](http://securityaffairs.co/wordpress/) [Cyber Crime](https://securityaffairs.co/wordpress/category/cyber-crime) [Cyber warfare](https://securityaffairs.co/wordpress/category/cyber-warfare-2) [APT](https://securityaffairs.co/wordpress/category/apt) [Data Breach](https://securityaffairs.co/wordpress/category/data-breach) [Deep Web](https://securityaffairs.co/wordpress/category/deep-web) [Digital ID](https://securityaffairs.co/wordpress/category/digital-id) [Hacking](https://securityaffairs.co/wordpress/category/hacking) [Hacktivism](https://securityaffairs.co/wordpress/category/hacktivism) [Intelligence](https://securityaffairs.co/wordpress/category/intelligence) [Internet of Things](https://securityaffairs.co/wordpress/category/iot) [Laws and regulations](https://securityaffairs.co/wordpress/category/laws-and-regulations) [Malware](https://securityaffairs.co/wordpress/category/malware) [Mobile](https://securityaffairs.co/wordpress/category/mobile-2) [Reports](https://securityaffairs.co/wordpress/category/reports) [Security](https://securityaffairs.co/wordpress/category/security) [Social Networks](https://securityaffairs.co/wordpress/category/social-networks) [Terrorism](https://securityaffairs.co/wordpress/category/terrorism) [ICS-SCADA](https://securityaffairs.co/wordpress/category/ics-scada) [EXTENDED COOKIE POLICY](https://securityaffairs.co/wordpress/extended-cookie-policy) [Contact me](https://securityaffairs.co/wordpress/contact) -----