Microsoft and an international group of tech industry organizations disrupted the botnet Trickbot, one of the world’s most prolific distributors of malware and ransomware.
Through a court order from the U.S. District Court for the Eastern District of Virginia and technical action in coordination with a group of technology organizations, Microsoft helped cut off key infrastructure so the operators of Trickbot can’t initiate new infections or activate ransomware that has already been dropped into computer systems.
In a blog post, Tom Burt, the company’s corporate vice president of customer security and trust, says this is good news for the upcoming election in the U.S. and others around the world.
As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.
The court order allowed Microsoft and those partners to disable the IP addresses Microsoft identified during its investigation. That rendered the content stored on the command and control servers inaccessible and suspended all services to the botnet operators.
It also blocked their efforts to purchase or lease additional services.
The action also helps to protect other organizations across various industries like financial services, government, healthcare, universities and other businesses.
According to Burt, Trickbot has infected over a million devices around the world since late 2016. The identity of the botnet’s operators is somewhat unknown, but they are believed to serve both nation-states and cybercriminals.
Burt says Microsoft analyzed 61,000 samples of Trickbot malware and found that it is particularly dangerous because it has modular capabilities that constantly evolve and infect victims for the operators’ purposes through a malware-as-a-service model.
The botnet not only infected computers, but also found its way into IOT devices like routers, extending Trickbot’s reach into our homes and other organizations.
Attackers’ methods of delivering Trickbot are also evolving, as the operators craft spam and spear phishing campaigns around hot-button topics like the Black Lives Matter movement and the COVID-19 pandemic to entice users to click on links in the email.
In addition to its threat to free and fair elections, Trickbot was also known to target online banking websites, healthcare, government networks and other organizations.