On Friday, the Justice Department announced that it arrested 55-year-old Latvian national Alla Witte, charging her for playing a role in "a transnational cybercrime organization" that was behind "Trickbot," one of the most well-known and widely used banking trojans and ransomware tools.
Witte is now facing 19 different charges ranging from computer fraud to aggravated identity theft for the part she played in the Trickbot group, which helped disseminate the malware from Russia, Belarus, Ukraine, and Suriname. The group was made up of people who were also involved in the Dyre ransomware, according to the indictment.
Deputy Attorney General Lisa Monaco, who heads up the new Ransomware and Digital Extortion Task Force, said in a statement that Trickbot was used to infect millions of computers, harvest banking credentials and deliver ransomware to organizations across the US, Europe and India.
Prosecutors alleged that since 2015, Witte worked as a malware developer to "develop and deploy a digital suite of malware tools used to target businesses and individuals all over the world for theft and ransom." She was also personally implicated in an effort to force a ransom victim to pay the group in Bitcoin in exchange for a decryption software.
She wrote code "related to the control, deployment, and payments of ransomware," according to the indictment and also provided code that "monitored and tracked authorized users of the malware and developed tools and protocols to store stolen login credentials."
She was arraigned in an Ohio district court and faces up to 87 years in prison if convicted.
Witte was one of many names listed in the indictment but most of her co-conspirators' names were blacked out, indicating more indictments are coming. The gang used Trickbot to steal online banking credentials, which then gave the group further access to victims' credit card numbers, emails, passwords, dates of birth, social security numbers and addresses.
ZDNet reported that Witte was arrested in Miami four months ago.
Cybersecurity experts said the case was an example of how cybercriminals can face consequences when private companies work with the government to address attacks. Many tied the indictment to the other recent actions by the White House and Justice Department to not only help companies hit with ransomware but impose some costs on bad actors.
Charles Herring, co-founder of cybersecurity firm WitFoo, said it was the first "mature" collaboration between the financial sector and law enforcement, noting that a report from the FBI last year found that when companies work with them, stolen funds are recovered 82% of the time.
On Monday the FBI announced that it was able to recover more than half of the Bitcoin Colonial Pipeline paid to a ransomware group that shut down their systems for days last month.
"The potential penalty for this specific criminal is decades in prison. That not only creates deterrence for the directly impacted criminal but also sends a strong message to other criminals," Herring said.
"The second myth disproved in this indictment is that foreign actors are untouchable by law enforcement. As governments collaborate on increasing deterrence for cybercrime, criminals are going to find very few havens."
Some cybersecurity officials said this specific arrest would do little to disrupt lucrative ransomware operations, but others noted that those involved in ransomware would definitely take notice.
Cato Networks senior director of security strategy Etay Maor said that what was different about this case was that a malware developer was actually arrested.
Usually, Maor explained, law enforcement can only apprehend mules and very low level accomplices that operate within the country's jurisdiction, so arresting malware developers is generally complicated.
"In the past, law enforcement officers waited for targets to go on vacation or arrive at a country that has an extradition agreement with the US. This individual was in South America then moved to Florida and Ohio, which seems atypical," Maor said.
"Why would you go to a country that is obviously looking for you and risk an arrest? A malware developer out of the game is always a good thing, but I also hope that the FBI has a chance to interview her and learn more of the technical and personal operations of these gangs. It's not every day you have a chance like this."
New Net Technologies vice president Dirk Schrader added that Microsoft tried to take down Trickbot last year and noted that the arrest warrant for Witte is dated August 13, 2020, just a few weeks before Microsoft announced the takedown of 94% of Trickbots' command and control servers.
Schrader also said the details in the indictment are full of information about the setup of ransomware gangs, the logistics involved, and to what length they will go to have as many victims as possible.
Greg Ake, senior threat researcher at Huntress, told ZDNet that there now seems to be a minimum threshold of damage that can be caused by a ransomware group before federal involvement becomes serious.
"In the end, it does appear that crime doesn't pay for some. The sad reality is that there are many more threats than there are resources for these criminal investigations," Ake said.
"There are many more that never do, and as such, do not get the adequate resources they need to fully investigate and deter. Waiting on federal support may be too late for many."