In 2020, Microsoft Corp. took action to disrupt a botnet, Trickbot, one of the world’s most infamous botnets and prolific distributors of malware and ransomware.
Trickbot was disrupted through a court order Microsoft obtained as well as technical action executed in partnership with an international group of industry and telecommunications providers including the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global intelligence sharing community connecting nearly 7,000 financial institutions, and NTT, a leading global technology service provider.
Key infrastructure was cut off so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.
The disruption of Trickbot, which infected over a million computing devices around the world since late 2016, marked a crucial development for Asia Pacific. The region experiences a higher-than-average encounter rate for ransomware attacks — 1.7 times higher than the rest of the world — of which developing countries, including Indonesia, Sri Lanka, India, and Vietnam, were the most vulnerable to malware and ransomware.
Mary Jo Schrade, Assistant General Counsel, Microsoft Digital Crimes Unit, Asia explained that a large number of governmental entities and businesses, ranging from large conglomerates to hospitals, schools and universities in Asia had been impacted by ransomeware attacks. “Ransomware also poses a threat to the election infrastructure of a number of countries,” she continued.
“In addition to its threat to elections, Trickbot is known for using malware to steal funds from people and financial institutions. Financial institutions ranging from global banks and payments processors to regional credit unions have been targeted by Trickbot.”
To disrupt Trickbot, Microsoft formed an international group of industry and telecommunications providers. The Microsoft Digital Crimes Unit (DCU) led investigation efforts, including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen the legal case from a global network of partners, including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Symantec, a division of Broadcom, in addition to our Microsoft Defender team.
Further action to remediate victims will be supported by Internet Service Providers (ISPs) and Computer Emergency Readiness Teams (CERTs) around the world.
Trickbot’s attack on computer systems in Asia
In the course of Microsoft’s investigation into Trickbot, approximately 61,000 samples of Trickbot malware were analyzed. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide customers access to infected machines and offer a delivery mechanism for many forms of malware.
Trickbot is known for using malware to intercept victims’ log in credentials for online banking websites, but it also is used to infect victims’ computers with the Ryuk crypto-ransomware, which has been used in attacks against a wide range of public and private institutions. Ransomware can have devastating effects.
In October 2020, it crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment.
Beyond infecting victims’ computers, Trickbot has also infected “Internet of Things” (IoT) devices, such as routers, which extends its reach into households and organizations, expanding the scope of vulnerable targets to devices that are often not updated or patched in a timely way.
Trickbot’s spam and spear phishing campaigns, which are used to distribute malware, have leveraged lures such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links. Trickbot has been the most prolific malware operation using COVID-19 themed lures.
How businesses and home computer users can protect themselves
The top actions that businesses and home computer users can take to protect their systems are to use multifactor authentication, to always use good email hygiene, and to update and patch systems in a timely manner.
Multi-factor authentication can stop credential-based attacks dead in their tracks. Without access to the additional factor, the attacker cannot access the account or protected resource. As 90% of attacks start with an email, preventing phishing (and its voicemail- and text-based variants, vishing and SMiShing) can limit the opportunity for attackers to succeed.
Email hygiene platforms that incorporate filtering on the way in and link checking, like Safe Links, when clicked (on the way out) provide the most comprehensive protection. Finally, it is important to ensure that computers are using the most up-to-date versions of software because these patches and updates repair known vulnerabilities.
Says Matt Bennett, Senior Director, Asia Pacific and Japan at VMware Carbon Black, “There was significant activity on cybercrime markets and forums in 2020, and we can only expect this trend to continue into the new year. With ransomware as a Service (RaaS), bulletproof hosting, and a myriad of privacy-centric cryptocurrencies, the dark web economy has made it easier than ever to get involved in cybercrime.
“We are now seeing traditional criminal enterprises move their operations online, in much the same way as many legitimate businesses in 2020 amid the pandemic,” he warns.
“In 2021, we will likely start to see new approaches, tactics and targets by cybercriminals. As government, healthcare and financial organization scale up cybersecurity, cybercrime organizations will continue looking for new opportunities for revenue,” he concludes.