Microsoft's malware lab

Microsoft takes legal action, disrupts massive botnet

Image credit: Microsoft

Microsoft has executed a plan to take down a vast ransomware distributor after successfully arguing in court that its copyright has been violated.

The action is focused on a botnet called Trickbot, one of the world’s most prolific ransomware distributors. Trickbot began life in 2016 as a banking trojan. Since then, its operators (mainly Russian-speaking criminal networks) have built a vast botnet used to access online accounts and extract personal data for purposes such as identity fraud. Microsoft estimates that it has infected more than one million computers since late 2016.

In recent months, it has been increasingly used to spread ransomware such as the Ryuk crypto-ransomware used in attacks against a range of institutions, including a number of hospitals during the Covid-19 pandemic. Security experts have warned that ransomware could be applied to disrupt democratic processes by infecting systems which maintain electoral rolls and results.

Microsoft carried out an investigation into Trickbot’s operations, which included analysing 61,000 samples of Trickbot malware. It identified the infrastructure Trickbot used to communicate with and control infected computers, including the IP addresses of its command and control servers; the channels which infected computers use to communicate with each other, and mechanisms used to evade detection and disruption.

This evidence was taken to court, where Microsoft argued that Trickbot was abusing its trademark (via malicious use of its code) and was granted a court order to proceed with the takedown.

According to the Microsoft 365 Defender Threat Intelligence Team: “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

As copyright law is more widespread than law specifically concerning cyber crime, this approach could be used by tech companies to fight criminal activity in more jurisdictions.

Microsoft’s plan involved disabling the identified IP addresses; blocking access to the content stored on the command and control servers; suspending all services to the botnet operators, and blocking efforts to purchase or lease additional servers. In order to execute this plan, it worked alongside partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec.

This week, the group disrupted Trickbot’s critical infrastructure, preventing its operators from further distributing malware or activating already-deployed ransomware.

In a blog post, Microsoft wrote: “We fully anticipate Trickbot’s operators will make efforts to revive their operations and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”

According to an Associated Press report, Microsoft’s approach may be compromised by providers’ non-compliance. Paul Vixie of Farsight Security commented: “Experience tells me it won’t scale – there are too many IPs behind uncooperative national borders.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles