As part of a coordinated effort that began around a week and a half ago, Microsoft and its partners have almost completely disabled an elusive botnet that has infected over a million computing devices since late 2016.
Called Trickbot, it is run by criminals and has been used to conduct a "wide range of nefarious activity," including the spread of ransomware, a type of malware that effectively prevents a victim from accessing their files by encrypting their data. The only way to unlock the files is with a decryption key. Typically what happens is the malware author demands a ransom, oftentimes in Bitcoin, in exchange for unlocking a victim's files. In some cases, there is a time limit to pay up, or else the data is permanently deleted.
"Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust," Microsoft explained earlier this week.
Microsoft obtained a court order to coordinate its efforts with telecommunication providers around the globe. According to Microsoft, Trickbot is particularly dangerous because its modular makeup allows it to constantly evolve, making detection and removal more difficult than static malware.
In the past four years, Trickbot has infected computers and IoT devices, including wireless routers. In addition to doling out ransomware, which in once instance crippled the IT network of a hospital in Germany, Trickbot has been used to hijack web browsers to swipe login information for banking sites, and conduct spam and spear phishing campaigns.
Microsoft said it initially discovered 69 servers that were core to Trickbot's various operation. In a short span, it has knocked 62 of them offline.
"The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled," Microsoft states in a new blog post.
Through ongoing tracking, Microsoft discovered 59 additional servers that Trickbot's operators attempted to add into the mix, and subsequently disabled 58 of them. So in total, Microsoft has killed 120 of the 128 Trickbot servers it has discovered.
This is an ongoing offensive, and Microsoft says the numbers will inevitably change. "This is challenging work, and there is not always a straight line to success," the company says. However, it has made a huge dent in Trickbot's operations and is optimistic it will stay ahead of things.