Security News > 2020 > October > Microsoft and partners cut off key Trickbot botnet infrastructure

"We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft.

"In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims' networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that 'the relationship between Emotet , Ryuk and Trickbot is considered one of the most notable in the cybercrime world'," Symantec researchers noted.

A week later, they did it again, but at the same time, "Someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records," apparently in an attempt to "Dilute the Trickbot database and confuse or stymie the Trickbot operators."

After gathering enough information about the botnet's operation and C&C servers, Microsoft went to the United States District Court for the Eastern District of Virginia, which then court granted approval for Microsoft and partners to "Disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers."

Microsoft has managed to disable 62 of the 69 Trickbot C&C servers.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/lvVRovncb70/