Microsoft won a court order to take control of IT infrastructure being used to infect devices with Trickbot, which is a very prolific ransomware distributor that poses a threat to the November election.
Working with a team of security companies and network operators, Microsoft disabled internet protocol addresses of servers being used to connect to and receive instructions from Trickbot operators. The partners also suspended all services to the botnet operators and blocked their efforts to buy or lease additional servers.
Microsoft’s Digital Crimes Unit led the ransomware investigation, and it worked with partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Broadcom’s Symantec.
Trickbot has infected more than 1 million devices worldwide since 2016, Tom Burt, corporate VP of customer security and trust at Microsoft, wrote in a blog post. Both nation-states and criminal networks use Trickbot’s spam and spear phishing campaigns to distribute several forms of malware. This includes ransomware, which Burt warns is “one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.”
Attackers used Trickbot to deliver Ryuk ransomware, which has been used to attack hospitals during the COVID-19 pandemic. In June, the University of California San Francisco School of Medicine paid some of the $1.14 million ransom to regain access to the encrypted servers. And more recently, a woman died after a ransomware attack hit a German hospital and crashed its IT systems. This is believed to be the first death from a ransomware attack.
In addition to threatening elections and hospitals, Trickbot has been used to attack banking websites and steal money from people and financial institutions.
Late last month the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a best practices guide intended to help enterprises prevent and respond to ransomware attacks.