The company announced Monday that, together with telecommunications providers around the world, it was able to cut off the infrastructure used by the Trickbot botnet so it could no longer be used to initiate new infections or activate ransomware already planted on computer systems.
Microsoft Corporate Vice President for Customer Security & Trust Tom Burt noted in a company blog that the United States government and independent experts have cautioned that ransomware is one of the largest threats to the upcoming elections.
“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Burt wrote.
“In addition to protecting election infrastructure from ransomware attacks,” he added, “today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled.”
Potential Versus Actual Threat
The takedown of the Trickbot botnet immediately and drastically reduces the ongoing harm caused by the malicious network, observed Matt Ashburn, head of strategic initiatives at Authentic8, maker of a cloud-based Web browser.
The former CIA agent and CISO of the National Security Council told TechNewsWorld, “If allowed to continue, this botnet could have indirectly affected ongoing and upcoming elections by compromising or corrupting systems used for voter registration, election coordination, and other supporting systems relied upon by state and local governments.”
While the potential is there for Trickbot to disrupt the U.S. elections, the actual threat may be less serious than it’s claimed to be. “We have not seen Trickbot being leveraged to threaten the U.S. elections in any way,” Jean-Ian Boutin, head of threat research at Eset, an information technology security company, told TechNewsWorld.
“While we have not observed any motivation by these attackers to go after elections, the potential does exist because of the size of the botnet,” added Vikram Thakur, technical director at Symantec, a division of Broadcom.
“The threat comes from Trickbot pushing ransomware down to computers that might be associated with elections,” he told TechNewsWorld.
Malware as a Service
Microsoft’s Burt noted Trickbot has infected more than a million computers since 2016. “While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives,” he added.
“What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a ‘malware-as-a-service’ model,'” he explained.
“Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware,” he continued.
Burt also wrote that beyond infecting end user computers, Trickbot has also infected a number of Internet of Things devices, such as routers, which has extended Trickbot’s reach into households and organizations.
Malware as a Service can be a boon for less skilled hackers, maintained Jack Mannino, CEO of nVisium, an application security provider. “It reduces the difficulty in maintaining ransomware infrastructure and launching attacks, leveling the playing field for less skilled adversaries,” he told TechNewsWorld.
Austin Merritt, a cyber threat intelligence analyst for Digital Shadows, a provider of digital risk protection solutions, added that Ransomware as a Service (RaaS) gives threat actors all the benefits of a regular ransomware attack, without the hassle of writing their code.
“In essence,” he told TechNewsWorld, “it lowers the barrier of entry for cybercriminals in the ransomware landscape. ”
It also makes money for its authors. “You sell a subscription service like any other SaaS provider and you make money off it,” observed Karen Walsh, the principal at Allegro Solutions, a cybersecurity marketing company.
“It’s a low capital output for a high income,” she told TechNewsWorld. “In 2018, cybercrime as a service earned US$1.6 billion.”
A Botnet Apart
Other botnets are designed in ways similar to Trickbot, but they’re not as targeted, noted John Hammond, a senior security researcher at Huntress Labs, a threat detection and intelligence company.
“It is spread by malicious spam campaigns with very sophisticated branding to impersonate trusted third parties like Microsoft and other official sources,” he told TechNewsWorld.
He added that it installs persistence on the local machine so threat actors can maintain their access and continue their operations. “This allows the attackers flexibility through a command-and-control channel to deploy ransomware or wreak further havoc,” Hammond explained.
Its modular design also contributes to its flexibility, allowing it to update itself and add features remotely. “This capability is one reason it is so popular among cybercriminals,” said Merritt, of Digital Shadows. “It can be customized and developed further to make it more effective and profitable.”
Raising Defenders’ Morale
Burt noted that Microsoft took a new legal tack to shutdown Trickbot.
“Our case includes copyright claims against Trickbot’s malicious use of our software code,” he wrote. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
Mark Kedgley, CTO of New Net Technologies, a provider of IT security and compliance software, praised Microsoft’s strategy. “The new tactic of using copyright law to go after threat actors is a creative way to get legal backing to take the fight to the Botnet Wranglers,” he said.
“It is good to see that, so far, it appears to have been effective in shutting down the majority of the command and control network,” he told TechNewsWorld.
Merritt added the strategy can be an effective way to thwart malware propagation, especially with the assistance of law enforcement. “Civil action can protect customers in many countries around the world that have copyright laws in place,” he maintained.
However, he added, “It is impossible to know how TrickBot may react to this approach. TrickBot operators have fallback mechanisms that allow them to maintain the botnet and recover lost computers infected with Trickbot.”
Regardless of how the Trickbot gang reacts to Microsoft’s actions, they will raise morale among harried defenders of corporate systems.
“The recent prevalence of ransomware has left defenders struggling to keep up and wondering how these operators can be stopped,” observed Katie Nickels, director of intelligence at Red Canary, a cloud-based security services provider.
“For defenders who are fighting against ransomware operators every day,” she told TechNewsWorld, “it is exciting to see actions that could potentially deter some of these operators.”