By Dave James
“After being taken down by Microsoft and the Pentagon ahead of the 2020 presidential election, the group behind Trickbot is up and running again.
The Russian-speaking ransomware group taken down by Microsoft and the Pentagon last year is back up and running and ready to infect a whole new tranche of machines. So yeah, time to be really careful about what links and attachments you click on in unsolicited emails.
The group, known by the moniker of its Trickbot malware, was targeted by the Pentagon’s Cyber Command because of fears that it might decide to interfere with the presidential election. A series of coordinated attacks were launched against infected systems in September 2020, pointing them at a local address rather than a Trickbot control server, and it looked like the debilitating efforts had succeeded.
At least temporarily.
Microsoft also got in on the action, apparently on its own cognisance, tracking down the servers actually being used by the Trickbot botnet. Working with ISPs in Latin America, Microsoft was able to obtain court orders which meant they could disable the IP addresses plumbed into those servers.
Because of the decentralised nature of the group, reportedly spread out across Russia, Ukraine, Belarus, and other locales in Eastern Europe, it’s almost impossible to put these sorts of groups out of action for good. And, despite the arrest of one 55-year-old for apparently facilitating the spread of the Trickbot operation, there’s a lot of evidence that it’s winding back up again.
Indeed, there are reports as far back as January, that malware attacks bearing all the essential hallmarks of a Trickbot campaign were happening across North America. Menlo Security said that: “While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment."