It’s not just the US government racing to disrupt the Trickbot botnet ahead of elections. Microsoft has revealed that it and multiple partners (including ESET, Lumen’s Black Lotus Labs, NTT, Symantec and FS-ISAC) have taken steps to disrupt Trickbot. The tech giant obtained a court order and used “technical action” to prevent the botnet from either starting new infections or activating any dormant ransomware.
The company’s court approval let it disable IP addresses for Trickbot’s command-and-control servers, suspend services to the operators, make server content inaccessible, and block the operators from buying or leasing more servers. On top of this, Microsoft even make copyright claims against Trickbot for reportedly makign “malicious use” of the company’s code.
Microsoft was primarily concerned that Trickbot’s operators would use the botnet to disrupt the imminent US election through ransomware. Attackers could lock down systems maintaining voter rolls or reporting on election night results, the company said. The disruption could also help thwart attempts to hijack bank accounts and threaten critical institutions using ransomware like Ryuk, which has been linked to the death of a German hospital patient as well as attacks against cities and even newspapers.
This doesn’t appear to have been coordinated with the US government. Anonymous officials talking to the New York Times claimed that Cyber Command had already started hacking Trickbot’s servers in late September. Microsoft only discovered this effort while launching its own, the newspaper said. In both cases, the anti-botnet plans were meant to throw off any possible Russian attacks at a critical moment. It’s not clear that Russia intended to use Trickbot for a malware campaign, but this theoretically takes the option away with little opportunity for perpetrators to regroup before the vote on November 3rd.
Whatever the intent, it’s still a significant blow. Trickbot was the primary delivery method for ransomware like Ryuk. Without it, cybercriminals and any state-sponsored actors will have to scramble to find alternatives. While this isn’t likely to be a permanent setback, it might give security experts and would-be targets some breathing room.