YakobchukOlena - Fotolia
One of the most prolific distributors of ransomware has been taken down -- for now.
A private sector coalition, led by Microsoft, obtained a court order that enabled them to disrupt the Trickbot botnet's back-end server infrastructure. In a blog post Monday, Tom Burt, Microsoft's corporate vice president of Customer Security & Trust, said operators behind the malware, which has been active since late 2016, will no longer be able to initiate new infections or activate ransomware already dropped into computer systems. The coordinated effort to halt Trickbot operations also included vendors such as ESET, Lumen's Black Lotus Labs, NTT and Symantec, as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
"What makes it so dangerous is that is has modular capabilities that constantly evolve, infecting victims for the operators' purposes through a "malware-as-a-service model"," Burt wrote in the blog post.
While Trickbot started off as a successor to the Dyre banking Trojan, designed to steal banking credentials, it evolved into a modular malware, which allowed cybercriminals access to the botnet to use as an entry point to install recon tools. From there, they used those tools to steal credentials, exfiltrate data and deploy additional payloads, most notably the Ryuk ransomware.
Global head of intelligence at FS-ISAC Teresa Walsh said they began working on this action 18 months ago as part of their focus to protect the global financial system.
"Trickbot is a banking Trojan, so that has a fraud impact to our customers. Trickbot has delivered Ryuk ransomware, which is a problem for both firms and customers," she said in an email to SearchSecurity.
Ransomware attacks have plagued organizations like financial services institutions along with government agencies, healthcare facilities, businesses and universities, and only continue to worsen.
"Ransomware used to be a straightforward attack strategy: Criminals hold your data or access to your systems for ransom; if you pay the money, you get your data or access to locked systems," Walsh said. "Now, threat actors use extortion for publishing the data online; auctioning off the data on the dark web; and ransomware as a service, where novice criminals buy kits from more technical actors. Ransomware operators are also known to target third-party suppliers as a way to get to financial institutions, who tend to have strong cybersecurity programs in place."
To disrupt the notorious botnet, Microsoft's Digital Crimes Unit (DCU) used a new legal technique in court by using copyright claims against Trickbot operators for malicious use of the company's code.
Kevin Haley, director of security response at Symantec division at Broadcom, said Microsoft approached Symantec years ago to partner with them to understand Trickbot's infrastructure, but it wasn't until recently they communicated about the court case.
"Undoubtably they will try and duplicate this method in other countries, which will expand its effectiveness," Haley said. "No single thing will solve cybercrime. But this means we have a new tool to use against the bad guys that does cause them significant disruption."
The success of the disruption is already showing positive results for FS-ISAC.
"Initial checks on the botnet shows that the disruption has had affect even from yesterday when the Microsoft activity went public. We have already had one member report no new phishing campaigns yesterday or today related to Trickbot," Walsh said.
The takedown's impact on the overall ransomware landscape may be temporary.
"While this operation is meant to disrupt one major ransomware distributor, it is by no means the only one," Walsh said. "It's also important to understand that this will be an ongoing effort as the Trickbot operators try to regroup and rebuild. The main intention is to make it much harder for them to carry out their cybercrime activities."
Haley agreed that ransomware isn't going away any time soon. "But we've knocked one of the major players off their stride. Ultimately ransomware goes away when no one agrees to pay the ransom anymore," he said. "Today, with million-dollar payments the incentive is so high, criminals will find a way around any obstacle."
In addition to extorting millions of dollars from enterprises, Burt noted in his blog post that ransomware poses a significant risk to election infrastructure ahead of the November elections. "Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," he wrote.
Law enforcement has been particularly concerned with ransomware attacks on state and local networks around Election Day. During a Black Hat USA 2020 session, Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), said the biggest threat facing the 2020 elections may be ransomware attacks.
While there have been no reports of direct ransomware attacks on election infrastructure, Burt said the Trickbot takedown will help protect election infrastructure in the coming weeks.