Microsoft Disrupts Botnet Installing Ransomware

Written by

Technology giant Microsoft has used a court order to disrupt one of the world's most notorious botnets.

Trickbot has infected over a million computing devices around the world since late 2016 and is a prolific distributor of ransomware. 

In a statement released today, Microsoft's corporate vice president of customer security and trust, Tom Burt, echoed a warning shared previously by the United States government that ransomware is "one of the largest threats to the upcoming elections." Burt said that Microsoft had moved against the botnet chiefly to protect America's election infrastructure and fight against cyber-attacks.

"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," said Burt.

Using a court order granted by the United States District Court for the Eastern District of Virginia, Burt said Microsoft teamed up with a global network of partners, including FS-ISACESETLumen’s Black Lotus LabsNTT, and Symantec, a division of Broadcom, to "disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers."

Microsoft used the court order to cut off key infrastructure so those operating Trickbot are no longer able to initiate new infections or activate ransomware that has already been dropped into computer systems.

"In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses, and universities from the various malware infections Trickbot enabled," said Burt.

Before taking action, Microsoft investigated Trickbot, analyzing approximately 61,000 samples of the malware.

"What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a 'malware-as-a-service' model," said Burt. 

"Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware." 

Burt said Trickbot's operators have leveraged topics that have dominated the news in a bid to distribute malware.

"Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures."

What’s hot on Infosecurity Magazine?