Microsoft reveals action to disrupt Trickbot malware

Microsoft announced action to disrupt Trickbot botnet, a global distributor of malware and ransomware that pulled down devices and IoT business.
Trickbot malware labMicrosoft obtained a court order against Trickbot. Microsoft has also executed partnerships with a group of industry and telecommunications providers to stop the spread of Trickbot across the world.

Key infrastructure has been cut off so those operating Trickbot will not be able to initiate new infections or activate ransomware already dropped into computer systems.

The disruption of Trickbot, which has infected over a million computing devices since late 2016, marks a crucial development for Asia Pacific.

The Asia Pacific region experiences a higher-than-average encounter rate for ransomware attacks — 1.7 times higher than the rest of the world — of which developing countries, including Indonesia, Sri Lanka, India, and Vietnam, were the most vulnerable to malware and ransomware.

“Ransomware also poses a threat to the election infrastructure of a number of countries. In addition to its threat to elections, Trickbot is using malware to steal funds from people and financial institutions,” Mary Jo Schrade, assistant general counsel, Microsoft Digital Crimes Unit, Asia, said

Microsoft Digital Crimes Unit (DCU) led investigation efforts, including detection, analysis, telemetry, and reverse engineering, with data and insights to strengthen the legal case from a network of partners, including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Symantec, in addition to our Microsoft Defender team.

In the course of Microsoft’s investigation into Trickbot, approximately 61,000 samples of Trickbot malware were analyzed. It has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a malware-as-a-service model. Its operators could provide customers access to infected machines and offer a delivery mechanism for many forms of malware.

Trickbot is using malware to intercept victims’ log in credentials for online banking websites. It infects victims’ computers with the Ryuk crypto-ransomware, which has been used in attacks against a range of public and private institutions. Ransomware can have devastating effects. Most recently, it crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment.

Beyond infecting victims’ computers, Trickbot has infected Internet of Things (IoT) devices, such as routers, which extends its reach into households and organizations, expanding the scope of vulnerable targets to devices.

Trickbot’s spam and spear phishing campaigns, which are used to distribute malware, have leveraged lures such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links.

Based on data from Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures.

Microsoft offerings

Microsoft offers threat notification service AccountGuard at no cost which now protects more than two million email accounts.

Microsoft has completed more than 1,500 AccountGuard nation-state attack notifications to AccountGuard enrollees to date.

Microsoft also offers Microsoft 365 for Campaigns. Microsoft 365 comes with default settings at an affordable price.

Election Security Advisors provide proactive resiliency services and reactive incident response for campaigns and election officials, also at an affordable price.