Network Security, Content

Microsoft, Partners, Feds Dismantle Trickbot Network Before Elections

Microsoft, aided by a group of security companies along with a tandem effort by the U.S. Cyber Command, have dealt the massive, Russian-linked Trickbot operation a serious blow, slowing at least for a while the ransomware distributor’s worldwide malware campaigns.

The highly targeted initiatives are largely a preemptive strike against what U.S. officials predict is the expected assault by Trickbot operatives on the presidential election only three weeks away, armed with malware that could assail voter registration, voting and counting ballots and other critical systems.

Microsoft’s work to dismantle Trickbot comes on the heels of a quiet action two weeks ago by the U.S. Cyber Command to hack the hackers’ command and control servers around the world, as first reported by KrebsonSecurity. Cyber Command’s and Microsoft’s moves were reportedly not part of a coordinated effort.

Here’s how the operation played out:

How did Microsoft take down Trickbot?

A federal court in Virginia affirmed Microsoft’s claim that the Trickbot hackers had violated the U.S. Digital Millennium Copyright Act by using the vendor's code for malicious purposes. The court gave Microsoft and its partners clearance to disable the IP addresses, make inaccessible the content stored on the command and control servers, suspend all services to the botnet operators and block any effort by the Trickbot operators to purchase or lease additional servers.

The action represents a new legal approach for Microsoft in fighting cyber crime. The vendor said it began putting a strategy together to combat Trickbot last April but didn’t finalize its plan until earlier this month to leave the hackers only a small window to regroup before the November elections. During the investigation, Microsoft’s said its security team analyzed about 61,000 samples of Trickbot malware.

“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” wrote Tom Burt, Microsoft customer security and trust corporate vice president, in a blog post.

Who partnered with Microsoft in the operation?

Microsoft formed an international group of industry and telecommunications providers to carry out the operation. Its Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen its legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec.

Internet service providers (ISPs) and computer emergency readiness teams (CERTs) worldwide will contribute to any future efforts, Microsoft said.

What are Trickbot’s targets and victims?

TrickBot is the primary delivery pipelines for the notorious ransomware variant Ryuk and a prime mover in the ransomware-as-a-service model. It first appeared four years ago as a banking trojan tailored to steal credentials. It was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files. Ryuk allows a threat actor to identify and attack an organization’s critical network systems. It often goes undetected for several days or months following an initial infection.

In addition to financial services companies, its ransomware victims include city governments, school districts, media outlets, medical facilities, businesses and state agencies. Most recently, Trickbot hijacked more than 400 hospitals run by Universal Health Services reportedly with Ryuk ransomware. It has also been used to hit managed service providers and cloud service providers.

Is Trickbot connected to the Kremlin?

The operators are Russian-speaking but there’s no certainty the crew is tied to the Kremlin.

“We don’t know if this is Russian intelligence,” Burt told the New York Times. “It would be really easy for state actors to contract with TrickBot to distribute ransomware with the goal of hacking election systems. That risk is real particularly given that so much of the ransomware is targeting municipalities.”

Is Trickbot targeting U.S. elections?

The cyber gangsters haven’t previously aimed at U.S. elections but there’s evidence it was lining up attacks. Microsoft discovered that TrickBot’s operators were deploying surveillance tools to spy on infected computers and identify those belonging to election officials, Burt told the New York Times.

What’s next?

Microsoft expects Trickbot will regroup and revive its operations. Microsoft said will continue to work with its partners to monitor Trickbot’s activities and will make additional legal and technical moves to stop them, Burt said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.