Microsoft Takes Action to Disrupt Botnet and Combat Ransomware

New Delhi: Today, Microsoft Corp. took action to disrupt a botnet, Trickbot, one of the world’s most infamous botnets and prolific distributors of malware and ransomware.

Trickbot was disrupted through a court order Microsoft obtained as well as technical action executed in partnership with an international group of industry and telecommunications providers including the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global intelligence sharing community connecting nearly 7,000 financial institutions, and NTT, a leading global technology service provider. Key infrastructure has now been cut off so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

The disruption of Trickbot, which has infected over a million computing devices around the world since late 2016, marks a crucial development for Asia Pacific. The region experiences a higher-than-average encounter rate for ransomware attacks — 1.7 times higher than the rest of the world — of which developing countries, including Indonesia, Sri Lanka, India, and Vietnam, were the most vulnerable to malware and ransomware[1].

“In recent months, we have seen ransomware attacks impact a large number of governmental entities and businesses, ranging from large conglomerates to hospitals, schools and universities in Asia,” said Mary Jo Schrade, Assistant General Counsel, Microsoft Digital Crimes Unit, Asia. “Ransomware also poses a threat to the election infrastructure of a number of countries. In addition to its threat to elections, Trickbot is known for using malware to steal funds from people and financial institutions. Financial institutions ranging from global banks and payments processors to regional credit unions have been targeted by Trickbot.”


To disrupt Trickbot, Microsoft formed an international group of industry and telecommunications providers. The Microsoft Digital Crimes Unit (DCU) led investigation efforts, including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen the legal case from a global network of partners, including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by Internet Service Providers (ISPs) and Computer Emergency Readiness Teams (CERTs) around the world.


Trickbot’s attack on computer systems in Asia

In the course of Microsoft’s investigation into Trickbot, approximately 61,000 samples of Trickbot malware were analyzed. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide customers access to infected machines and offer a delivery mechanism for many forms of malware.


Trickbot is known for using malware to intercept victims’ log in credentials for online banking websites, but it also is used to infect victims’ computers with the Ryuk crypto-ransomware, which has been used in attacks against a wide range of public and private institutions. Ransomware can have devastating effects. Most recently, it crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment.


Beyond infecting victims’ computers, Trickbot has also infected “Internet of Things” (IoT) devices, such as routers, which extends its reach into households and organizations, expanding the scope of vulnerable targets to devices that are often not updated or patched in a timely way.


Trickbot’s spam and spear phishing campaigns, which are used to distribute malware, have leveraged lures such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links. Based on data from Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures.


How businesses and home computer users can protect themselves

The top actions that businesses and home computer users can take to protect their systems are to use multifactor authentication, to always use good email hygiene, and to update and patch systems in a timely manner. Multi-factor authentication can stop credential-based attacks dead in their tracks. Without access to the additional factor, the attacker cannot access the account or protected resource. As 90% of attacks start with an email, preventing phishing (and its voicemail- and text-based variants, vishing and SMiShing) can limit the opportunity for attackers to succeed. Email hygiene platforms that incorporate filtering on the way in and link checking, like Safe Links, when clicked (on the way out) provide the most comprehensive protection. Finally, it is important to ensure that computers are using the most up-to-date versions of software because these patches and updates repair known vulnerabilities.


Microsoft’s Digital Crimes Unit will also continue to engage in operations to protect organizations involved in the democratic process and the entire customer base. Since 2010, Microsoft, through the Digital Crimes Unit, has collaborated with law enforcement and other partners on 23 malware and nation-state domain disruptions, resulting in over 500 million devices rescued from cybercriminals.