Microsoft has taken action to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific distributors of ransomware. Trickbot has infected over a million computing devices around the world since late 2016. 

According to Tom Burt - Corporate Vice President, Customer Security & Trust, at Microsoft, the company disrupted Trickbot through a court order they obtained as well as technical action they executed in partnership with telecommunications providers around the world. "We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," said Burt. "In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled."

In the course of Microsoft’s investigation into Trickbot, they analyzed approximately 61,000 samples of Trickbot malware. Burt noted that what makes Trickbot so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. "Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations," Burt noted in his blog. 

Burt added that recently, the operators have been changing techniques based on the latest social and political discussions, such as Black Lives Matter, COVID-19, to distribute malware through phishing campaigns. Based on the Microsoft data, Trickbot has been the most prolific malware operation using COVID-19 themed lures, Burt says. 

Austin Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “Trickbot, unlike some ransomware botnets, is modular. Modular ransomware botnet infection methods are not consistent; it depends on which version the attacker is using. These versions can also update themselves and download other features. This capability is one reason it is so popular among cybercriminals; it can be customized and developed further to make it more effective and profitable."

The U.S. government considers ransomware a top threat to the US 2020 elections, as attacks can hold voter information and election results hostage, impacting election systems, adds Merritt. "Both the Ryuk and Conti ransomware gangs have partnered with TrickBot to gain access to compromised networks. When a computer becomes infected with TrickBot, the trojan will eventually provide remote access to one of the ransomware gangs. These attackers will then use the infected computer as a launching pad to compromise the entire network and deploy their ransomware."

Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider, notes, “The integrity and availability of systems during elections are critical to ensuring trust in the process. Botnets can be used to overwhelm servers through well-timed DDoS attacks as well as erode trust against compromised systems.  Ransomware as a Service (RaaS) reduces the difficulty in maintaining ransomware infrastructure and launching attacks, evening the playing field for less skilled adversaries. Groups can scale their ransomware operations by writing less code and requiring less technical expertise to deliver malware.”

Merritt adds that the decision to file copyright claims against Trickbot’s malicious use of Microsoft’s software code can be an effective way to thwart efforts of malware propagation, especially with law enforcement assistance. "Civil action can protect customers in many countries around the world that have copyright laws in place. It is impossible to know how TrickBot may react to this approach; however, TrickBot operators have fallback mechanisms that allow them to maintain the botnet and recover lost computers infected with Trickbot."

Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Fla.-based provider of IT security and compliance software, says, “Most malware ventures are indiscriminate, so anything that increases scale and reach are beneficial to the gangs behind them. In particular, DDOS botnets have been created and offered for hire on a pay-as-you-go basis. Microsoft’s new tactic of using copyright law to go after threat actors is a creative way to get legal backing to take the fight to the Botnet Wranglers. It is good to see that, so far, it appears to have been effective in shutting down the majority of the Command and Control network.”