When malware strains disappear, it is often by choice of their creators and threat actors, rather than as a result of outside efforts to shut them down. The actions governments and organizations take to combat these threats directly have often proved short-term and limited in scope — a pattern that the resurrection of Trickbot last year unfortunately demonstrated.
An effort led by Microsoft and its partners to shut down Trickbot malware was conducted in the lead-up to the 2020 US election in an attempt to reduce the risk of election tampering. In the end, 94% of Trickbot's infrastructure was effectively eliminated, massively reducing its influence in late 2020.
Despite taking such substantial losses, however, Trickbot soon saw a resurrection of incredible proportions. Rather than dying off as some hoped it might, the strain grew back at such a rate that by June 2021 it had again become the most prevalent malware in the world.
One of the numerous businesses that Trickbot targeted that month was a European public administration organization. Unaware that one of its internal domain controllers had been compromised by Trickbot, the organization happened to begin a trial of Darktrace's artificial intelligence (AI)-driven cybersecurity technology, which shined a light on the malicious attack taking place within their network.
AI Catches an Emerging Trickbot Ransomware Attack
Darktrace employs AI-powered behavior-based detection, which can differentiate between benign and malicious activity within an organization. When the compromised domain controller began uploading DLL files to other devices, Darktrace's technology immediately detected the activity and suggested an appropriate response. However, it was configured in "human confirmation" mode — meaning it required a human operator to confirm the action.
As it waited for the human team to approve its actions, Darktrace continued to monitor the progression of the threat. It detected the compromised domain controller uploading Trickbot over SMB to almost 300 devices across the organization, and then utilizing Windows Management Instrumentation (WMI) to execute it.
Trickbot may be old and well-documented malware, but its modular nature makes it endlessly adaptable and therefore difficult for security tools to pin down. At this stage in the attack, traditional tools within the organization's network had still failed to spot the threat. When the nature of the attack changes with every new instance and modular configuration, intelligence-based security systems will always struggle to keep up.
The difficulty of relying on OSINT to address Trickbot was demonstrated in this attack when 160 of the 280 compromised devices were detected connecting to new C2 endpoints. Microsoft and its partners had specifically targeted C2 servers in 2020, but Trickbot's turnaround in the aftermath of that action showed how quickly new servers and endpoints can be established. In this case, OSINT did not associate any of the endpoints the 160 company devices connected to with malicious activity; however, Darktrace recognized the behavior as unusual nonetheless, and issued a high-severity threat notification to the organization.
For over a month, the attackers laid low. Darktrace then detected compromised devices scanning the network and downloading suspicious executable files — most likely Ryuk ransomware payloads. With several stages of the attack now months apart, it would have been hard for a human team to piece together its full scope.
Targeted Action Before Encryption
With AI constantly investigating threats across the entire digital environment, however, Darktrace pieced together this attack into a distinct lifecycle and presented it to the security team. It was at this stage that the organization took notice of the threat and turned Darktrace to "autonomous" mode, enabling the AI to take action.
While the automated tool can often stop ransomware attacks at the first signs of a compromise, it can engage at any stage of an attack. Thus, when it was activated at a very late stage by this organization, it still calculated a precise and effective response.
Several malicious actions were blocked by the AI, including SMB enumeration, network scanning, and suspicious outbound connections. Because it targeted these actions rather than the overall devices, the 280 compromised devices were able to continue with their normal business operations as the attack was brought to a halt.
Now that they could no longer complete command-and-control (C2) communications or move laterally, the attackers were unable to execute Ryuk and the attack came to an end. And not a moment too soon. If the attackers had been allowed to execute the ransomware, they likely would have exfiltrated and then encrypted data from across the company. Even if a ransom is paid, ransomware victims often incur numerous other costs, including network shutdowns and remediation, as well as PR fallout.
Staying Ahead of Malware Trends
It's clear that Trickbot is as strong and evasive as it ever was and that relying on rules or intelligence-based tools alone is no longer an option for organizations trying to avoid falling victim. Rather than waiting for companies and governments to launch offensives against the endlessly regenerating infrastructure of attackers, organizations should take matters into their own hands and bolster their own infrastructures with AI.
By recognizing how the business usually behaves, rather than worrying about identifying the attacker, Darktrace's AI can stop completely novel threats without rules or OSINT and won't be fooled by reconfigurations and rebrands. Protecting organizations against novel attacks in this way is the surefire way to start hitting Trickbot and other threat actors where it hurts.