40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.

The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

“Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses,” DoJ said. “While active, TrickBot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants.”

Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022.

The cybercrime crew’s allegiance to Russia during the Russo-Ukrainian war led to a series of leaks dubbed ContiLeaks and TrickLeaks, which precipitated its shutdown in mid-2022, resulting in its fragmentation into numerous other ransomware and data extortion groups.

Dunaev is said to have provided specialized services and technical abilities to further the TrickBot scheme between June 2016 and June 2021, using it to deliver ransomware against hospitals, schools, and businesses.

Specifically, the defendant developed browser modifications and malicious tools that made it possible to harvest credentials and sensitive data from compromised machines as well as enable remote access. He also created programs to prevent the Trickbot malware from being detected by legitimate security software.

Another TrickBot developer, a Latvian national named Alla Witte, was sentenced to two years and eight months in prison in June 2023.

News of Dunaev’s sentencing comes days after governments from Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national and an affiliate for the REvil ransomware gang, for orchestrating the 2022 attack against health insurance provider Medibank.

Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.

As JimJones, he has also been observed attempting to recruit unethical penetration testers who would supply login credentials for vulnerable organizations for follow-on ransomware attacks in exchange for $500 per access and a 5% cut of the ransom proceeds.

“These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development, and ransomware attacks,” the company said, offering insights into his cybercrime history.

“Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development.”