Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Says Most TrickBot Servers Are Down

Most of the servers associated with the TrickBot botnet have been taken down following the technical and legal effort announced last week, Microsoft says.

Most of the servers associated with the TrickBot botnet have been taken down following the technical and legal effort announced last week, Microsoft says.

The takedown was meant to disable Trickbot’s infrastructure and prevent its operators from reviving the botnet, but initial reports claimed that the network of infected machines continued operations unhindered.

The TrickBot operators, which some say are the hackers that also use Ryuk and Conti ransomware, appeared largely unaffected by the takedown attempt, with only a relatively small percentage of the bots being isolated.

On Tuesday, threat intelligence company Intel 471 revealed that newly observed TrickBot control servers were unable to respond to bot requests, and Microsoft now says its actions have successfully prevented newly registered servers from becoming operational.

The tech giant explains that it managed to take down 62 of the 69 initial TrickBot servers around the world, as well as 58 of the 59 new servers that the malware operators attempted to add to their infrastructure.

“In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, says.

Burt also notes that, due to the botnet’s unique architecture, Microsoft and its partners are taking a “persistent and layered approach to addressing Trickbot’s operations around the world.” Furthermore, he says, the same action will continue throughout election day on November 3.

Microsoft’s partners, he says, are working to clean and remediate compromised Internet of Things (IoT) devices that are being used as non-traditional command and control (C&C) infrastructure.

Advertisement. Scroll to continue reading.

“These compromised routers pose a unique challenge for the internet service providers (ISPs) as they must simultaneously work to remediate devices while keeping legitimate traffic uninterrupted, and this delicate work is underway. Finally, we’re working with ISPs and others to also clean devices in people’s homes and businesses that might be infected,” Burt notes.

The focus of this effort, he adds, is to disrupt TrickBot during peak election activity, and so far the company feels confident with the progress it has made, as the cybercriminals need to invest a lot into rebuilding their server infrastructure.

“We fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our partners will continue to monitor them and take action. We encourage others in the security community who believe in protecting the elections to join the effort and share their intelligence directly with hosting providers and ISPs that can take Trickbot’s infrastructure offline,” Burt concludes.

Related: New TrickBot Control Servers Unable to Respond to Bot Requests

Related: Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

Related: Anatomy of Ryuk Attack: 29 Hours From Initial Email to Full Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.