Court orders seizure of ransomware botnet controls as
U.S. election nears
Send a link to a friend
 [October 12, 2020] By
Joseph Menn
SAN FRANCISCO (Reuters) - Microsoft said
Monday it had used a court order to take control of computers that were
installing ransomware and other malicious software on local government
networks and threatening to disrupt the November election.
The maker of the Windows operating system said it seized a series of
internet protocol addresses hosted by U.S. companies that had been
directing activity on computers infected with Trickbot, one of the most
common pieces of malware in the world.
More than a million computers have been infected with Trickbot, and the
operators use the software to install more pernicious programs,
including ransomware, for both criminal groups and national governments
that pay for the access, researchers said.
Trickbot has shown up in a number of public governments, which could be
hurt worse if the operators encrypt files or install programs that
interfere with voter registration records or the display and public
reporting of election results, Microsoft said.
"Ransomware is one of the largest threats to the upcoming election,"
said Microsoft Corporate Vice President Tom Burt. Among other programs,
Trickbot has been used to deliver Ryuk ransomware, which has been blamed
in attacks on the city of Durham, N.C., and hospitals during the
COVID-19 pandemic.
Microsoft worked with Broadcom's Symantec, security firm ESET and other
companies to dissect Trickbot installations and trace them to the
command addresses, the companies said. Microsoft for the first time used
strict provisions in copyright law to convince a federal judge in the
Eastern District of Virginia that since Trickbot used Microsoft code,
the company should be able to seize the operator's infrastructure from
their unknowing hosting providers.
[to top of second column] |
A person casts a ballot for the upcoming presidential election
during early voting in Sumter, South Carolina, U.S., October 9,
2020. REUTERS/Micah Green
The seizure follows mechanical attempts to disrupt Trickbot last week by sending
the operators bad information, researchers said. The Washington Post reported
that U.S. Cyber Command was behind that effort, also aimed at cutting off
possible sources of election chaos. Cyber Command did not respond Sunday to a
request for comment.
A parallel FBI investigation identified three Eastern Europeans with major roles
in the group behind Trickbot, according to one person working with the
government in the matter. The person had expected indictments to be unsealed
today, but said that step might have been delayed. A Justice Department
spokesman did not respond to messages seeking comment over the weekend.
Microsoft said the legal seizures and its deals with telecommunications
providers would stop Trickbot from deploying new software or activating
pre-installed ransomware.
But Symantec said Trickbot has control points in at least 20 countries, none of
which are bound by the U.S. court order.
For that reason, the group running the compromised machines is likely to regroup
and may be able to communicate with infected computers in America, if less
smoothly than before.
(Reporting by Joseph Menn in San Francisco. Additional reporting by Chris Bing
in Washington; editing by Diane Craft)
[© 2020 Thomson Reuters. All rights
reserved.] Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
