An outlaw online network that's been used to infect millions of computers with ransomware has been disrupted by Microsoft.

The company announced Monday that, together with telecommunications providers around the world, it was able to cut off the infrastructure used by the Trick-bot botnet so it could no longer be used to initiate new infections or activate ransomware already planted on computer systems. Microsoft Corporate Vice President for Customer Security & Trust Tom Burt noted in a company blog that the United States government and independent experts have cautioned that ransomware is one of the largest threats to the upcoming elections.

"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust, In addition to protecting election infrastructure from ransomware attacks," he added, "today's action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trick-bot enabled."


Potential versus Actual Threat

The take down of the Trick-bot botnet immediately and drastically reduces the ongoing harm caused by the malicious network, observed Matt Ashburn, head of strategic initiatives at Authentic8, maker of a cloud-based Web browser. While the potential is there for Trick-bot to disrupt the U.S. elections, the actual threat may be less serious than it's claimed to be. "We have not seen Trick-bot being leveraged to threaten the U.S. elections in any way," Jean-Ian Boutin, head of threat research at Eset, an information technology security company, told TechNewsWorld.

Malware as a Service

"Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware," Microsoft's Burt continued.

Burt also wrote that beyond infecting end user computers, Trickbot has also infected a number of Internet of Things devices, such as routers, which has extended Trickbot's reach into households and organizations.

Malware as a Service can be a boon for less skilled hackers, maintained Jack Mannino, CEO of nVisium, an application security provider. "It reduces the difficulty in maintaining ransomware infrastructure and launching attacks, leveling the playing field for less skilled adversaries," he told TechNewsWorld.

Austin Merritt, a cyber threat intelligence analyst for Digital Shadows, a provider of digital risk protection solutions, added that Ransomware as a Service (RaaS) gives threat actors all the benefits of a regular ransomware attack, without the hassle of writing their code. "In essence," he told TechNewsWorld, "it lowers the barrier of entry for cyber criminals in the ransomware landscape." It also makes money for its authors. "You sell a subscription service like any other SaaS provider and you make money off it," observed Karen Walsh, the principal at Allegro Solutions, a cyber security marketing company. "It's a low capital output for a high income," she told TechNewsWorld. "In 2018, cyber crime as a service earned US$1.6 billion."

A Botnet Apart 

Other botnets are designed in ways similar to Trickbot, but they're not as targeted, noted John Hammond, a senior security researcher at Huntress Labs, a threat detection and intelligence company. "It is spread by malicious spam campaigns with very sophisticated branding to impersonate trusted third parties like Microsoft and other official sources," he told TechNewsWorld. He added that it installs persistence on the local machine so threat actors can maintain their access and continue their operations. "This allows the attackers flexibility through a command-and-control channel to deploy ransomware or wreak further havoc," Hammond explained.

Its modular design also contributes to its flexibility, allowing it to update itself and add features remotely. "This capability is one reason it is so popular among cyber criminals," said Merritt, of Digital Shadows. "It can be customized and developed further to make it more effective and profitable."

Raising Defenders' Morale

Regardless of how the Trickbot gang reacts to Microsoft's actions, they will raise morale among harried defenders of corporate systems. The recent prevalence of ransomware has left defenders struggling to keep up and wondering how these operators can be stopped, observed Katie Nickels, director of intelligence at Red Canary, a cloud-based security services provider. "For defenders who are fighting against ransomware operators every day," she told TechNewsWorld," it is exciting to see actions that could potentially deter some of these operators."