In this news, we discuss the Court orders seizure of ransomware botnet controls as U.S. election nears.
SAN FRANCISCO (Reuters) – Microsoft said on Monday it had used a court order to take control of computers that installed ransomware and other malware on local government networks and threatened to disrupt the November election.
The manufacturer of the Windows operating system said it had seized a series of Internet Protocol addresses hosted by US companies that were running activities on computers infected with Trickbot, one of the world’s most common malware. .
More than a million computers have been infected with Trickbot and operators are using the software to install more malicious programs, including ransomware, for criminal groups and national governments that pay for access, researchers said. .
Trickbot has appeared in a number of public governments, which could be made worse if operators encrypt files or install programs that interfere with voter registration records or the display and public communication of election results, a Microsoft said.
“Ransomware is one of the biggest threats to the next election,” said Tom Burt, corporate vice president of Microsoft. Among other programs, Trickbot was used to deliver the Ryuk ransomware, which was blamed in attacks on the city of Durham, North Carolina, and hospitals during the COVID-19 pandemic.
Microsoft worked with Broadcom’s Symantec, security firm ESET, and other companies to dissect Trickbot installations and trace them to ordering addresses, the companies said. Microsoft first used strict copyright provisions to convince a federal judge in the Eastern District of Virginia that since Trickbot used the Microsoft code, the company should be able to seize the infrastructure of the operator from its unaware hosting providers.
The seizure follows mechanical attempts to disrupt Trickbot last week by sending operators bad information, researchers said. The Washington Post reported that the US Cyber Command was behind the effort, also aimed at cutting off possible sources of electoral chaos. Cyber Command did not respond to a request for comment on Sunday.
A parallel FBI investigation has identified three East Europeans playing a major role in the group behind Trickbot, according to a person working with the government on the file. The person expected the indictments to be released today, but said that step could have been delayed. A spokesperson for the Department of Justice did not respond to messages seeking comment over the weekend.
Microsoft has said legal seizures and its agreements with telecom providers will prevent Trickbot from deploying new software or activating preinstalled ransomware.
But Symantec said Trickbot has checkpoints in at least 20 countries, none of which are bound by the U.S. court order.
Because of this, the group that runs the compromised machines is likely to regroup and may be able to communicate with infected computers in America, if not less easily than before.
Report by Joseph Menn in San Francisco. Additional reporting by Chris Bing in Washington; edited by Diane Craft
Original © Thomson Reuters Corporation