Meet Alla “Max” Witte, the 55-year-old Latvian national who was part of Trickbot cybercrime gang responsible for infecting millions of computers around the world

As we reported last month, Colonial Pipeline surrendered to hackers five days after a crippling cyberattack shut down the largest fuel pipeline network in the United States. With just one password, hackers successfully installed a piece of ransomware and compromised the entire Colonial Pipeline’s IT infrastructure.

In the end, Colonial was forced to pay the hackers nearly $5 million in ransom via an untraceable cryptocurrency before The Department of Justice (DOJ) later recovered about $2.3 million of the cryptocurrency.

However, the hacking of Colonial Pipeline is not an isolated incident. JBS, the world’s largest meat factory was also hacked. JBS was also forced to pay a ransom of $10 million to the hacking group. According to security research firm Cybersecurity Ventures, ransomware is expected to take place on an average of every 11 seconds in 2011, up from every 14 seconds in 2019. The firm also predicted that ransomware will cost businesses $6 trillion annually by 2021.

So, who is behind these ransomware attacks? Of course, we may know the hackers behind all the global cyberattacks. What we do know is that some of these attacks are caused by state-sponsored threat actors. In addition, the DOJ also said in a press release that a 55-year-old Latvian national who goes by the name Alla Witte, was part of the cybercrime gang (Trickbot) responsible for infecting millions of computers around the world. Known as Trickbot Group, the criminal organization is a malware-as-a-service platform that operated in Russia, Belarus, Ukraine, and Suriname.

alleged to have worked as a programmer for Trickbot, a malware-as-a-service platform responsible for infecting millions of computers and seeding many of those systems with ransomware.

According to the DOJ announcement, Alla Witte, aka Max, 55, was charged in 19 counts of a 47-count indictment. The agency alleged that Alla Witte had worked as a programmer and accuses her of participating in a criminal organization referred to as the “Trickbot Group,” which deployed the Trickbot malware.

The Trickbot Group primarily targeted victim computers belonging to businesses, entities, and individuals, including those in the Northern District of Ohio and elsewhere in the United States. Targets included hospitals, schools, public utilities, and governments. Witte, who previously resided in Paramaribo, Suriname, was arrested on Feb. 6, in Miami, Florida.

So, the question everyone was asking is, just how did a self-employed website designer and mother of two come to work for one of the world’s most notorious cybercriminal groups and then leave such a digital trail of clues indicating her involvement with the gang?

According to a piece at KrebsonSecurity, the indictment released by the DOJ (PDF) provides some clues about Alla “Max” Witte’s technical background. The 61-page indictment says that “Witte provided code to the Trickbot Group for a web panel used to access victim data stored in a database.”

On page 13 of the indictment, DOJ said that “Witte was a Malware Developer for the Trickbot Group, overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining payments from ransomware victims, and developing tools and protocols for the storage of credentials stolen and exfiltrated from victims infected by Trickbot.”

The DOJ also revealed that that database contained a large number of credit card numbers and stolen credentials from the Trickbot botnet, as well as information about infected machines available as bots.

The indictment further reveals that:

“Witte provided code to this repository that showed an infected computer or ‘bot’ status in different colors based on the colors of a traffic light and allowed other Trickbot Group members to know when their co-conspirators were working on a particular infected machine.”

Witte was a national of Russia. During the timeframe of the indictment, Witte resided in Suriname. She was arrested in Miami while flying from Suriname.

In addition to the DOJ indictment, KrebsonSecurity also cited a tweet posted by Vitali Kremez. The tweet seems to indicate at one point last year, Witte actually hosted Trickbot malware on a vanity website registered in her name — allawitte[.]nl.

That’s not all. A screengrab from the archive page of allawitte[.]nl in 2016 also shed more light on who Witte really is.

Credit: KrebsOnSecurity

Besides, another archive from a Google-translated post that Witte made to her Vkontakte page on April 22, 2013, five years before allegedly joining the Trickbot group, reveals that Witte loved to fly to clients in different countries.

Credit: KrebsOnSecurity

Meanwhile, DOJ Deputy Attorney General Lisa O. Monaco said: “This indictment demonstrates the broad reach of the Department of Justice’s Ransomware and Digital Extortion Task Force.”

She added: “Trickbot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware. The defendant is accused of working with others in the transnational criminal organization to develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom. These charges serve as a warning to would-be cybercriminals that the Department of Justice, through the Ransomware and Digital Extortion Task Force and alongside our partners, will use all the tools at our disposal to disrupt the cybercriminal ecosystem.”

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said Acting U.S. Attorney Bridget M. Brennan of the Northern District of Ohio. “Federal law enforcement, along with assistance provided by international partners, continue to fight and disrupt ransomware and malware where feasible. We are united in our efforts to hold transnational hackers accountable for their actions.”

“Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems,” said Special Agent in Charge Eric B. Smith of the FBI’s Cleveland Field Office. “Cyber intrusions and malware infections take significant time, expertise, and investigative effort, but the FBI will ensure these hackers are held accountable, no matter where they reside or how anonymous they think they are.”