In a bid to protect the upcoming elections, Microsoft helped disrupt a notorious botnet capable of delivering ransomware to computers.
The botnet, dubbed Trickbot, is still online. But through a court order, Microsoft disabled at least some of the command and control servers behind the malicious network of computers.
“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft Corporate VP Tom Burt wrote in a Monday blog post.
The company was concerned about Trickbot delivering ransomware to IT systems that maintain voter rolls and report election results. Such an attack would “sow chaos and distrust” in what’s already been a turbulent Presidential race, Burt said.
Trickbot itself has been around since 2016, and first arrived as a Trojan designed to trick victims into installing it onto their computers with the goal of stealing their online banking login credentials.
Since then, the malware has compromised computers across the globe, spreading itself via phishing email attacks. Most recently, the botnet was found sending fake emails laced with malware that mention COVID-19 and Black Lives Matter. Microsoft estimates Trickbot currently spans over a million computing devices, including those at large and small enterprises.
To make more money, the operators behind Trickbot have been selling access to their botnet to cybercriminals, who can use the same enslaved machines to launch other attacks.
“What makes [Trickbot] so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a ‘malware-as-a-service’ model,” Burt wrote in today’s blog post. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware.”
Specifically, Microsoft is blaming Trickbot for spreading the Ryuk ransomware, which has been successfully locking down IT systems from companies and municipal governments in recent years. Last month, the ransomware was also reportedly involved in shutting down a major healthcare provider that operates 400 hospitals and behavioral health facilities.
To disrupt Trickbot, Microsoft analyzed 61,000 samples of Trickbot malware and identified the IP addresses for the command and control servers from which the botnet has been operating. “With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers,” Burt said.
Microsoft also teamed up with security firms, such as ESET and Symantec, to take down the botnet. However, they say the efforts to disrupt Trickbot likely won’t kill the botnet due to its various fallback mechanisms.
“While our work might not remove the threat posed by Trickbot, it will raise the cost of doing business for the criminal gang behind the botnet because they will be forced to divert resources away from exploitation activities in order to rebuild the parts of their infrastructure that we disrupted,” said Lumen’s security division Black Lotus Labs.
“Trying to disrupt this elusive threat is very challenging as it has various fallback mechanisms, and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex,” added ESET security researcher Jean-Ian Boutin in a statement.