Hitting ransomware operators hard before the US election, Microsoft on Monday said it has taken down a massive botnet called Trickbot that has infected over a million computing devices around the world to date.
Microsoft Defender team along with a coalition of tech partners like Broadcom’s Symantec took down the TrickBot malware botnet and cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.
The tech giant said it took the action after the US District Court for the Eastern District of Virginia granted its request for a court order to halt Trickbot’s operations.
“In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organisations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled,” said Tom Burt, Corporate Vice President, Customer Security and Trust.
While the exact identity of the Trickbot operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.
In the course of Microsoft’s investigation into Trickbot, the tech giant analysed approximately 61,000 samples of Trickbot malware.
What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model.
“Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware,” Burt informed.
Beyond infecting end user computers, Trickbot has also infected a number of Internet of Things (IoT) devices, such as routers, which has extended its reach into households and organisations.
Trickbot has also been the most prolific malware operation using Covid-19 themed lures.
The court granted approval for Microsoft and its partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.
Financial institutions ranging from global banks and payments processors to regional credit unions have been targeted by Trickbot.
Trickbot is also known to deliver the Ryuk crypto-ransomware that has been used in attacks against a wide range of public and private institutions.
Most recently, it crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment.
–IANS
