Court orders seizure of ransomware botnet controls as U.S. election nears
By Joseph Menn
SAN FRANCISCO (Reuters) - Microsoft said Monday it had issued a court order to take control of computers that install ransomware and other malicious software on local government networks and threaten to disrupt November elections.
The Windows operating system maker said it had seized a number of Internet protocol addresses hosted by US companies that directed activity on computers infected with Trickbot, one of the most common malware components in the world.
Trickbot has infected more than a million computers, and operators use the software to install more malicious programs, including ransomware, for both criminal groups and national governments who pay to access it, researchers said.
Trickbot has surfaced in a number of public governments, which could be worse if operators encrypt files or install programs that interfere with voter registration records or the display and public reporting of election results, Microsoft said.
"Ransomware is one of the biggest threats to the upcoming elections," said Tom Burt, corporate vice president of Microsoft. Trickbot was used, among other things, to deliver Ryuk ransomware, which was blamed for attacks on the city of Durham, NC, and hospitals during the COVID-19 pandemic.
Microsoft worked with Broadcom's Symantec, security firm ESET, and other companies to analyze Trickbot installations and trace them back to the command addresses. Microsoft first used stringent copyright laws to convince a federal judge in the eastern district of Virginia that the company should be able to take over the operator's infrastructure from its ignorant hosting providers as trickbot Microsoft code used.
The seizure follows mechanical attempts to disrupt Trickbot last week by sending bad information to operators, researchers said. The Washington Post reported that the U.S. Cyber Command was behind these efforts, which also aim to cut off possible causes of electoral chaos. Cyber Command didn't respond to a request for comment on Sunday.
A parallel FBI investigation identified three Eastern Europeans with important roles in the group behind Trickbot, a person who works with the government on the matter. The person expected the charges to be unsealed today but said the move may have been delayed. A Justice Department spokesman did not respond to comments over the weekend.
Microsoft said the legal seizures and agreements with telecommunications providers would prevent Trickbot from deploying new software or enabling pre-installed ransomware.
However, according to Symantec, Trickbot has checkpoints in at least 20 countries, none of which are bound by US court order.
Because of this, the group that the compromised computers are running on is likely to regroup and potentially communicate with infected computers in America, albeit less smoothly than before.
(Reporting by Joseph Menn in San Francisco. Additional reporting by Chris Bing in Washington; editing by Diane Craft)
You should check here to buy the best price guaranteed products.
Rare earth metals at the heart of China's rivalry with US, Europe
Johnson struggling at Detroit, trying to stay out of the way
Sausage wars: Boris Johnson hints he may rip up EU rule book over trade with Northern Ireland
2 dogs rescued in Mexico from sinkhole larger than a football field
Kamala Harris Becomes First Sitting Vice President to March in a Pride Event
Seized House records show just how far Trump admin would go