Microsoft and security firms ESET, Black Lotus Labs, and Symantec collaborated with the financial services industry to cut off the ransomware operation's C2 infrastructure.

5 Min Read

Technology and security companies teamed up with the financial services and telecommunications industries to disrupt the command-and-control (C2) infrastructure used to manage the well-known Trickbot ransomware to infect more than a million computing devices, the firms behind the takedown said on Monday. 

Microsoft worked with security researchers from ESET, Lumen's Black Lotus Labs, and Broadcom's Symantec to identity key components of Trickbot's C2 and sever the ransomware's ability to connect to infected systems. The companies worked with the Financial Services Information Sharing and Analysis Committee (FS-ISAC) to obtain a court order that allowed telecommunications firms to shut down the servers on which the operation relied.

The group believes its efforts will hobble the botnet's operations and make efforts to reinfect systems much more difficult, says Jean-Ian Boutin, head of threat research at security firm ESET.

"By trying to disrupt the normal operations of the Trickbot botnet, we hope that it will result in a decrease in the offering of potential ransomware victims," he says. "As Trickbot was a platform for cybercriminals to pick their next ransomware target, by making it unavailable we hope to see a decrease in these devastating attacks."

Trickbot is a modular infection platform that has been distributed through phishing, and by using other infectors, such as Emotet, to install Trickbot. ESET, for example, collected 28 different plug-in modules for the platform that, among other things, collect credentials, modify network traffic, and spread to other systems. 

Once on a system, Trickbot has often been used as a banking Trojan, stealing victims' credentials and using them to gain access to banks. The software also often uses web injects, a technique that allows the attacker to control what a victim sees while on a particular site. An infected system, for example, may not display the victim's true banking balance but instead display the balance the attacker wants them to see.

In March, Trickbot's operators switched their focus from attacks on financial institutions to ransomware. The Ryuk ransomware — which infected a number of cities, healthcare facilities, and schools — is often installed by Trickbot.

"The criminal gang behind Trickbot has regularly updated its malicious software, adding modules with new functionality to increase its effectiveness and potential to cause harm," researchers from Black Lotus Labs, a part of enterprise technology company Lumen, said in their analysis. "They have incorporated tools such as Mimikatz and Cobalt Strike — often used by penetration testers and criminal attackers — to map victim networks, steal operating system credentials, and spread inside organizations."

Microsoft and the FS-ISAC were defendants in the civil case against the Trickbot operators. The software giant had concerns that the platform could be used to attack election sites and machinery ahead of the US presidential election. 

"As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections," Tom Burt, corporate vice president of customer security and trust for Microsoft, said in a blog post. "Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust." 

Microsoft analyzed 61,000 samples of the Trickbot malware. Other companies lent their analyses to the effort as well. The ransomware platform has widely used COVID-themed phishing attacks to convince users to click on malicious links or open malware, Microsoft said.

Monday's action followed Microsoft and the FS-ISAC suing the Trickbot operators in the United States District Court for the Eastern District of Virginia, which granted their request for a court order to take down the servers at specific IP addresses identified by the companies' investigation. 

"This action also represents a new legal approach that our [Digital Crimes Unit] is using for the first time," Microsoft stated in its blog post. "Our case includes copyright claims against Trickbot's malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place."

Civil lawsuits have become the focus on Microsoft's efforts to stop massive cybercriminal operations. While the participants in the latest takedown hope to see the criminals behind the malicious program prosecuted, often the perpetrators do not face justice.  

For companies, the best steps to take are defensive, says ESET's Boutin, who published his own analysis on the attack.

"The best way to protect your organization is to not get compromised in the first place," he says. "A typical infection vector for malware families like Trickbot, that are known to drop ransomware, is malicious emails. On top of endpoint security, hardening security of email systems so that they can detect malicious emails before they arrive in the target's inbox is a good investment." 

Microsoft fully expects the Trickbot operators to make a comeback, albeit slowly.

"We fully anticipate Trickbot's operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them," Microsoft stated.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights