The Russian-speaking ransomware group taken down by Microsoft (opens in new tab) and the Pentagon last year is back up and running and ready to infect a whole new tranche of machines. So yeah, time to be really careful about what links and attachments you click on in unsolicited emails.
The group, known by the moniker of its Trickbot malware, was targeted by the Pentagon's Cyber Command because of fears that it might decide to interfere with the presidential election. A series of coordinated attacks were launched against infected systems in September 2020, pointing them at a local address rather than a Trickbot control server, and it looked like the debilitating efforts had succeeded.
At least temporarily.
Microsoft also got in on the action, apparently on its own cognisance, tracking down the servers actually being used by the Trickbot botnet. Working with ISPs in Latin America, Microsoft was able to obtain court orders which meant they could disable the IP addresses plumbed into those servers.
Because of the decentralised nature of the group, reportedly spread out across Russia, Ukraine, Belarus, and other locales in Eastern Europe, it's almost impossible to put these sorts of groups out of action for good. And, despite the arrest of one 55-year-old for apparently facilitating the spread of the Trickbot operation, there's a lot of evidence that it's winding back up again.
Indeed, there are reports as far back as January (opens in new tab), that malware attacks bearing all the essential hallmarks of a Trickbot campaign were happening across North America. Menlo Security said that: "While Microsoft and its partners' actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment."
And now there are reports (opens in new tab) from another security firm, Fortinet, which claims the group has helped birth another strain of ransomware called Diavol. BitDefender is also now reporting that the Trickbot infrastructure has been returned to operation and has apparently been seen to be setting itself up for a fresh wave of new attacks.
So, what the hell can you do to avoid becoming a victim of this sort of ransomware? As ever, the advice is to keep your system as up to date as possible. I know that Windows updates are a pain in the uglies, but you'll get the latest security patches to known vulnerabilities if you stay on top of them.
There is also the fact that targeted ransomware attacks are generally aimed at large corporations, and insurance or legal companies. They generally take the form of an email telling you that you've been caught doing something dodgy, maybe a traffic violation, and encourage you to click on a link showing proof of your infraction.
So, again, be really really careful about what you click on when someone emails you anything. At the very least it's probably either a bad joke or something you might actually have to spend time working on, but at the worst it could cost a fortune.