Nearly one year ago, in August 2020, the Department of Justice issued charges and arrest warrants against a number of threat actors running Trickbot botnet who were attacking millions of computer systems worldwide. It is probably not a coincidence that within a month US Cyber Command and Microsoft separately delivered strategic strikes against Trickbot, forever changing their operations and scale.
2021 began with several sizeable victories for international law enforcement. First, in January came an arrest in Ukraine, taking down a careless administrator of the virus distribution component of the Trickbot- Emotet. Then, in February there was an arrest of a developer of the Trickbot platform and ransomware components, and perhaps one of the most unusual threat actresses of our time – Max aka Alla Witte.
Hold Security's Threat Intelligence Services monitors many major threat and ransomware groups, hence after months of watching Alla Witte’s saga playing out, we want to share more information around this fascinating threat actress.
In 1965, in Soviet Union city Rostov-on-Don, which is now a part of Russia, Alla Klimova (Алла Климова) was born. Before the fall of the Soviet Union, in 1983 she moved to Riga, Latvia to study Applied Mathematics at the University of Latvia where she remained for a number of years after Latvia became a separate country.
She held several interesting jobs such as a sales manager and a teacher, but her passion throughout her life was programming. In numerous posts on the various Russian-language forums, Alla Klimova admits that her interests in technology started later in life. In 2004, she got a job with a Dutch AOSH EU and in 2007, after getting married, now Alla Witte, moved to Amsterdam.
With her husband, Ms. Witte travels the world enjoying life and many experiences which she shares with her family. Yet, over the past number of years, her family has moved to the South American country of Suriname.
If you look at the public part of the professional life of Alla Witte, you might admire her passion for technology, entrepreneurship, and advocacy toward her life calling.
In 2013 she writes: “I want to be a great programmer who is capable of creating exclusive solutions and travel to clients in different countries. I work for myself and clients for an enormous amount of time because I can do it, so I am doing it.”
In her native Russian language on many forms, she dispenses advice to novices, reviews educational materials, and publicly thanks those who helped her.
“You are absolutely correct that you have to exclude from your life those who try to prove that you will not accomplish anything.” Alla Witte writes in comments to a video with advice to job seekers. “I have heard everything – you are too old for this type of job… Overall, I spoke over the Internet with several people who supported me or gave me professional advice…”
We lost count of the online communities where Alla Witte advertised her services as a freelancing developer. Since 2012 she has earned a living as a developer-for-hire completing a number of projects and getting positive reviews for her work.
“Alla – great performer! Very much like to work with her, everything was done with high quality…”
She had the dream of not only creating functional web pages, but pieces of art. She even created her own website allawitte.nl to showcase her development skills with development samples from a real estate application to a taxi service. Perhaps it was through one of these freelancing websites or through a customer reference that the Trickbot gang found Ms. Witte and brought her into the group.
Alla Witte doesn't look like a criminal, everything in her character and traits makes her a nice person. Some may even question if someone cleverly framed this nice lady for all these crimes. We want to assure you that there is another side to Alla Witte, where she acted knowingly and maliciously as a part of the Trickbot gang.
In a number of her social media posts, Alla Witte refers to someone close to her (perhaps her husband) named Max. Using this nickname inside the gang, she spends time developing malicious software dealing with botnet operations and ransomware components. Since she tends to be technical and trustworthy, she was allowed to work on some of the critical components of Trickbot.
Though she is a developer and a part of a cyber gang, when it comes to operational security, Alla Witte is a failure. Many cybercriminals have social media profiles, some very active and outgoing, but mixing public profile and nefarious activities is a no-no.
Lapses in opsec are so blatant that it is no surprise that she was apprehend by law enforcement. In January of 2020, she even used her personal website to distribute Trickbot malware as reported on Twitter by @gorimpthon.
Many in the gang not only knew her gender but her name too. Several group members had AllaWitte folders with data. They refer to Alla almost like they would address their mothers and, therefore, her arrest was taken much more seriously than the Emotet administrator arrest.
Perhaps the greatest lapse in judgement was around Christmas time in 2019 when Alla Witte infected one of her own computers with the Trickbot malware, allowing it to steal and log her data within the botnet interface. On top of the password re-use, the data shows a great insight into her professional and personal Internet usage.
Alla (Klimova) Witte is not a criminal mastermind nor is she an ordinary cybercriminal. Her public profile is an inspiration to developers breaking sexism and ageism barriers. However, as a part of the Trickbot gang, she should serve as a warning.
Trickbot is rebuilding and expanding far beyond its current shell. Actions taken by international law enforcement should send a message that is loud and clear, that this gang membership will be prosecuted.
Click here to find out more about Hold Security Dark Web Monitoring capabilities.