Microsoft's anti-Trickbot ransomware disruption holding up

Microsoft security researchers have taken stock of the recent operation to take down the Trickbot network and found that it continues to suppress the ransomware criminals' activities.

With the help of court orders and partners around the world, Microsoft was able to shut down 94 per cent of Trickbot infrastructure.

Other security researchers were sceptical that the disruption would have a lasting effect, with company Intel 471 saying "the operators behind Trickbot will have little problem rebuilding the botnet with new infections."

Intel 471's prediction turned out to be too pessimistic, however.

The security intelligence company now said that a sample of Trickbot delivered by the Emotet malware was configured with 16 command and control servers, but none of them would respond to bot requests.

"Intel 471 believes disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure." the company said.

Microsoft's vice-president of customer security and trust, Tom Burt, said that Trickbot operators added 59 new servers to make up for 62 that were disabled last week; 58 of the new servers were disabled by Microsoft in a follow-up operation.

In total, 120 of 128 identified Trickbot servers have been taken down, Burt said.

Of the initial 69 servers identified, seven run as command and control sites on Internet of Things devices infected by Trickbot, and are also in the process of being disabled with additional court orders filed by Microsoft.

Microsoft is also collaborating with internet service providers to identify and clean out IoT devices like home and business routers that have been hijacked as Trickbot C&C servers.

So far, the signs are encouraging and the Trickbot operators are struggling to get back into the game, Burt said.

"Anytime a botnet’s server infrastructure is eliminated, the attempt to rebuild is not as simple as setting up new servers. New servers need to be provisioned to begin talking with the botnet’s infected devices and issuing commands, all of which takes time."

"We have identified new Trickbot servers, located their respective hosting provider, determined the proper legal methodology to take action, and completely disabled those servers in less than three hours."

"Our global coordination has allowed a provider to take quick action as soon as we notify them – in one case, in less than six minutes," he wrote.

Nevertheless, Burt said this is challenging work, and he expects Trickbot operators will continue to look for ways to stay up and running.

Faced with the determined action from Microsoft and its partners, Trickbot operators have been forced to focus on setting up new infrastructure, and have turned to competing criminal syndicates for help to drop malware payloads.

Trickbot is a multi-purpose Trojan Horse malware for Windows that targets both enterprises and residential users. 

Security researchers deem it highly dangerous as it can steal user data, operate as a remote access tool, send spam emails and download ransomware as well.