CyberCom Disrupted Trickbot Botnet Ahead of Elections and Amid Growing Ransomware Attacks

But the gang behind the malware still appears to be up to its old tricks...

Through Cyber Command (CyberCom), the U.S. government has mounted an operation to disrupt the Trickbot botnet, the world’s largest botnet, which is run by Russian-speaking criminals who have hijacked millions of computers to engage in malfeasance, including ransomware attacks, according to officials who spoke to the Washington Post’s Ellen Nakashima. The operation isn’t expected to scuttle Trickbot permanently but is part of what the head of Cyber Command Paul Nakasone calls “persistent engagement” to force adversaries to engage constantly.

Cybersecurity journalist Brian Krebs first reported on the Trickbot operation last week without identifying Cyber Command as the disruptor. Citing research conducted by cyber intelligence firm Intel 471, Krebs noted that someone was messing around with the botnet, launching two attacks against Trickbot and pushing new configuration files that told the infected hosts their new malware control server had the address, which is a “localhost” address that is not reachable over the public Internet.

Cyber Command ostensibly tried to aim its disruptive cyber actions against the Trickbot crew to protect the upcoming elections. The military intelligence arm is widely credited with warding off serious foreign adversary cyberattacks during the 2018 midterm elections.

But ransomware is a growing scourge that seems unstoppable and CyberCom could have also been spurred on by a Trickbot-enabled ransomware attack last month against a major health-care provider, Universal Health Services (UHS), one of the nation’s top health care providers whose systems were locked up by the ransomware known as Ryuk. Computer systems for 400 UHS systems were locked down for days, forcing staff to use pen and paper, potentially jeopardizing thousands of patients' health care.

Underscoring the seriousness of the attack, Senator Mark Warner (D-VA) just yesterday sent a letter to the UHS CEO asking him to answer a series of questions related to the attack. “As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity,” he wrote.

Despite the CyberCom effort, the Trickbot gang hasn’t stopped its operations. It appears that the cybercriminals are in fact back to their old tricks, as Catalin Cimpanu suggested in a tweet.

Cimpanu might be referring to a malware operation aimed at exploiting Donald Trump’s COVID-19 illness. Hackers sent emails phishing emails purporting to link to the status of Trump’s health. Users were instead tricked into downloading the BazaLoader backdoor, a kind of trojan commonly linked to the developers of the TrickBot hacking tool.

Image by Department of Defense - Department of Defense, Public Domain