TrickBot Behind More Than $724 Million in Crypto Theft and Extortion

Cybercriminals are escalating their tactics, moving beyond traditional data encryption to employ a more aggressive approach known as quadruple extortion. This alarming trend is explained in the latest Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape, released today by Akamai, a leading cybersecurity and cloud computing firm.

The report reveals that while double extortion (a technique where attackers encrypt data and threaten to leak it if a ransom isn’t paid) remains common, the emerging quadruple extortion adds layers of pressure. This includes using distributed denial-of-service (DDoS) attacks to shut down a victim’s operations and harassing third parties, like customers, business partners, or even the media, to increase the demand for payment.

“Ransomware threats today aren’t just about encryption anymore,” stated Steve Winterfeld, Advisory CISO at Akamai. He emphasised that attackers are now leveraging “stolen data, public exposure, and service outages to increase the pressure on victims,” turning cyberattacks into major business crises.

The Akamai report also highlights other significant developments in the world of cybercrime. Generative AI and large language models (LLMs) are making it easier for individuals with less technical skill to launch complex ransomware attacks by helping them write malicious code and improve their social engineering techniques. The report specifically notes that groups like Black Basta and FunkSec, along with other RaaS platforms, are quickly adopting AI and evolving their extortion tactics.

Additionally, hybrid groups, combining the motives of hacktivists with ransomware, are increasingly using ransomware-as-a-service (RaaS) platforms. These platforms allow individuals or groups to rent access to ransomware tools and infrastructure, amplifying their impact for a mix of political, ideological, and financial reasons. An example is Dragon RaaS, which emerged in 2024 from the Stormous group, now focusing on smaller, less secure organisations.

The research indicates that certain sectors are particularly vulnerable. Nearly half of all cryptomining attacks, which involve secretly using a victim’s computer resources to mine cryptocurrency, targeted non-profit and educational organisations. This is likely due to these organisations often having fewer resources dedicated to cybersecurity.

For decades, Trickbot malware has been known for hijacking cryptocurrency transactions, and the financial damage caused by these groups is finally showing up. The TrickBot malware family, widely used by ransomware groups, has alone been responsible for extorting over $724 million in cryptocurrency from victims since 2016.

Although the Trickbot’s infrastructure was dismantled in 2020, Akamai’s Guardicore Hunt Team recently identified its continued suspicious activity on several customer systems.

TrickBot malware spreads primarily through phishing emails, which are created to look like legitimate messages from banks, delivery services, or government agencies. These emails include malicious attachments, such as Word or Excel files, or links to compromised websites. When a user opens one of these attachments, they may be prompted to enable macros. If they do, malicious scripts run in the background and quietly install TrickBot on the system.

In addition to phishing, TrickBot can exploit unpatched software vulnerabilities. If a system hasn’t been updated with the latest security fixes, the malware can use those flaws to gain access or spread across the network. It’s also common for TrickBot to be delivered by other malware, especially Emotet or QakBot. These act as loaders, setting up the infection so TrickBot can follow.

Once TrickBot gains access, it harvests login credentials, maps out connected systems, and infects other machines. This infection chain allows it to collect more data and sometimes even deploy ransomware.

James A. Casey, Akamai’s Vice President and Chief Privacy Officer, emphasised the importance of strong cybersecurity measures, incident reporting, and effective risk management strategies, such as Zero Trust and micro-segmentation, to build resilience against these evolving threats. He stressed that organisations must stay updated and adapt their defences to counter the changing tactics of cyber extortion.