How Microsoft’s Digital Crime Unit and global partners tackled the botnet infamous for distributing ransomware leveraging the COVID-19 pandemic.

Cybercrime has a wide-ranging impact on everyone, with potential for economic loss of US$1.74 trillion among organizations across Asia Pacific.

Mary Jo Schrade shares about Disrupting trickbot
Mary Jo Schrade, Assistant General Counsel, Regional Lead, Microsoft Digital Crimes Unit Asia

Exploiting the COVID-19 pandemic, attackers have infiltrated systems, with ransomware impacting many government entities, businesses, hospitals, schools and universities in the region.

Within the region, we see a higher-than-average encounter rate for ransomware attacks – 1.7 times higher than the rest of the world.

In response to this, Microsoft recently took major action to disrupt Trickbot, one of the world’s most infamous botnets and prolific distributors of malware and ransomware.

Since then, Microsoft’s Digital Crime Unit has worked with partners around the world to eliminate 94% of Trickbot’s critical operational infrastructure including both the command-and-control servers at the time our action began, and new infrastructure Trickbot has attempted to bring online.

CybersecAsia had the opportunity to discuss the ongoing war against cybercrime and this latest takedown with Mary Jo Schrade, Assistant General Counsel, Regional Lead, Microsoft Digital Crimes Unit Asia:

What is Trickbot? What does it do, what is its payload like, and what does all that mean for regional cybersecurity?

Mary Jo Schrade (MJS):Trickbot is a botnet, a network of servers and infected devices, run by criminals responsible for a wide range of nefarious activities, including the distribution of ransomware.

Trickbot was first discovered in 2016 and was initially designed as a banking trojan to be used to steal banking passwords. Over the years, Trickbot has infected over a million computing devices around the world. What makes it so dangerous is that it has modular capabilities that constantly evolve, allowing criminals to purchase access to the botnet in a “malware-as-a-service” model.

Trickbot has also impacted “Internet of Things” (IoT) devices, such as routers, which extends its reach into households and organizations, expanding the scope of vulnerable targets to devices that are often not updated or patched in a timely way. 

The Trickbot malware is typically delivered via phishing or spam email campaigns, and the cybercriminals distributing it use current events, such as Black Lives Matter and COVID-19, or financial lures to entice users to open malicious file attachments. Trickbot was found to be the most prolific malware operation using COVID-19 themed lures, according to data from Microsoft Office 365 Advanced Threat Detection.

In October 2020, Microsoft, in partnership with several Computer Emergency Response Teams across Asia, took action to disrupt Trickbot, which marks a crucial development for Asia Pacific. Our region currently experiences a higher-than-average encounter rate for malware and ransomware attacks – about 1.7 times higher than the rest of the world.  

Indonesia, Sri Lanka, India, and Vietnam were the Asian countries most vulnerable to malware and ransomware, according to Microsoft’s Security Endpoint Threat Report 2019.

This action was a key step in addressing the prolific spread of malware endangering computer users around the world, although the need to continue focusing on coordinated approaches to address cybercrime remains important.

Please share the latest actions to disrupt Trickbot, the success level so far, and how this was executed in partnership with regional stakeholders.

MJS: Microsoft has been investigating Trickbot since it was identified to be a key threat to our customers.  

During the investigation, our Digital Crimes Unit (DCU) team, working closely with our partners, was able to identify operational details, including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk to each other, and even the precise IP addresses of the botnet’s command and control servers. Approximately 61,000 samples of Trickbot malware were analyzed.

In the case of Trickbot, the DCU-led investigations around Trickbot saw the use of detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen the legal case from a global network of partners. This was done in partnership with organizations including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims and block the communications to victims’ computers are being supported by Internet Service Providers (ISPs) and Computer Emergency Readiness Teams (CERTs) around the world.

In a six-day period that concluded on 18 October 2020, we had worked with partners to eliminate 94% of Trickbot’s critical operational infrastructure including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online.

What is the role of the Microsoft Digital Crimes Unit in disrupting cybersecurity attacks in the region, such as Trickbot?

MJS: Microsoft’s Digital Crimes Unit (DCU) is an international team of technical, legal, and business experts that investigates online criminal networks and makes criminal referrals to appropriate law enforcement throughout the world. It also takes civil actions that seek to disrupt key aspects of the technical infrastructure used by cybercriminals to target customers.

This is done through the innovative application of technology, forensics, civil actions, criminal referrals, and public/private partnerships, all leveraged while protecting the security and privacy of customers.

DCU partners with local and global law enforcement, security firms, researchers, NGOs, and customers. The partnerships allow the unit to act quickly to protect customers and develop cases to refer to law enforcement for investigation and action.

Since 2010, Microsoft’s Digital Crimes Unit (DCU) has collaborated with law enforcement and several partners on 23 malware and botnet disruptions, resulting in over 500 million devices rescued from cybercriminals.

How can businesses in the region protect themselves against this and other similar botnet attacks?

MJS: It is crucial that businesses take action to protect their systems – use multi-factor authentication, practice good email hygiene, and update and patch systems in a timely manner.  

Firstly, multi-factor authentication is crucial, as it can stop credential-based attacks in their tracks. Without access to the additional factor, the attacker has difficulty accessing the account or protected resource.

Secondly, as 90% of attacks begin with an email, preventing phishing can limit the opportunity for attackers to succeed. Email hygiene that incorporates leveraging an email platform that filters emails on the way in and checks links for risks, like Safe Links, when clicked (on the way out) provide the most comprehensive protection. Users should also practice discretion in not downloading any suspicious attachments or click on unusual links in messages, even if they are disguised as coming from trusted sources.

Lastly, computers and devices, should always be running on the most up-to-date versions of software because these patches and updates repair known vulnerabilities. Business users should keep Windows or their operating system up to date by setting their machine to automatically install updates.