Microsoft disrupts international botnet group ahead of Election Day
Microsoft on Monday announced it had taken control of networks used by a wide-ranging ransomware group that posed a threat to U.S. elections and other critical infrastructure.
Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a blog post Monday that the company had taken control of a distributed infrastructure used by a group known as “Trickbot” to distribute ransomware viruses. The actions by Microsoft and its telecommunications partners worldwide will prevent the group from launching further attacks.
The Ryuk ransomware virus delivered by the Trickbot group was recently attributed to an attack on a German hospital that resulted in the death of a woman who was not able to receive life-saving treatment in time. Ryuk malware was also connected to the ransomware attack on Universal Health Services earlier this month that led to computers at all 250 of its U.S. hospital facilities being temporarily negatively affected, according to The Associated Press.
The Ryuk ransomware virus was also responsible for targeting an IT provider for over 100 nursing homes, a Department of Defense contractor, and the city government of Durham, N.C.
“Trickbot has infected over a million computing devices around the world since late 2016,” Burt wrote. “While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.”
Microsoft was able to disrupt the botnet network with approval from the U.S. District Court for the Eastern District of Virginia. Burt noted that the action would protect not only elections, where officials have cited concerns over potential ransomware attacks disrupting the voting process, but also critical groups including governmental organizations, health care facilities and financial institutions.
Trickbot used COVID-19 and other major issues of the day, including the Black Lives Matter protests, to distribute malware through malicious phishing emails.
“Trickbot has been the most prolific malware operation using COVID-19 themed lures,” Burt said.
In order to shut down the operation, Microsoft partnered with groups including the Financial Services Information Sharing and Analysis Center, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of cybersecurity group Broadcom.
The Washington Post reported last week that U.S. Cyber Command had also moved in recent weeks to disrupt the Trickbot botnet group as part of an effort to impose consequences on cyber adversaries.
Despite the strides forward made against Trickbot on Monday, Burt noted that the company expected the hackers behind the group to return.
“We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them,” Burt noted Monday.
Ransomware, which involves hackers accessing and encrypting a system and demanding payment to restore access, has become an increasing source of concern over the past two years.
Ransomware viruses have targeted city governments including those in Atlanta, Baltimore and New Orleans, costing the cities millions of dollars to restore full online operations. They have also been used to target school districts.
The COVID-19 pandemic has seen malicious cyber activity skyrocket, news which comes amid concerns around ransomware potentially targeting U.S. election infrastructure in order to disrupt voting.
The Department of Homeland Security (DHS) recently warned of the dangers of cyberattacks targeted at election infrastructure in its 2020 Homeland Threat Assessment, including those from foreign adversaries.
Christopher Krebs, the director of DHS’s Cybersecurity and Infrastructure Security Agency in July pointed to ransomware attacks as an issue officials were watching closely.
“We do anticipate that if they were going to do something in the next couple of months, and I’m not just talking about up to and through to Nov. 3, but in that period after the election,” Krebs said during a virtual event hosted by the Brookings Institution, “[we are] absolutely ripe for a destructive or disruptive attack by a capable adversary, so we have to be ready.”
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.