A massive hacking network that Microsoft and the US military tried to stop last month is already back — and it could be a bad sign for Election Day
- Cybercriminals carried out a string of ransomware attacks against US hospitals last week and could be poised to launch even more, US officials warned.
- The FBI said the attacks were carried out in part using Trickbot, a massive network of bots that has for years evaded efforts by security firms and governments to shut it down.
- The wave of attacks last week came after Microsoft announced last month that it majorly disrupted the bot network by working with the US military, taking 94% of its infrastructure offline — but cybercriminals rebuilt the botnet shortly after, analysts said.
- Cybersecurity experts say the events show the resiliency of ransomware hackers' tactics, and build on longstanding fears that the ransomware could be used to target local elections offices, potentially making it more difficult to count ballots on Election Day.
Last month, Microsoft announced it had won a major victory in the fight against cybercrime. The company said in mid-October that it had thwarted Trickbot — a stubborn malware network that's been used to infect critical computer systems, often shutting them down for ransom. Experts were relieved by the announcement; Trickbot and other ransomware infrastructure, they had warned, could be used to target elections offices and cause chaos on Election Day.
But less than two weeks later, an unprecedented wave of ransomware attacks hit US hospitals — and US officials and cybersecurity experts said Trickbot's makers were to blame.
The FBI said in a warning that cybercriminals used Trickbot in conjunction with other viruses to carry out a wave of attacks against US hospitals last week, disrupting their computer systems and delaying surgeries. More attacks carried out by the same group could be looming, US officials added.
The wave of ransomware attacks show that the cybercriminals who built Trickbot are undeterred and quickly adapting new tools to carry out similar attacks, according to Jeremy Kennelly, analysis manager at FireEye's Mandiant Threat Intelligence unit, which has been tracking the group's botnet activity.
Microsoft is now locked in a cat-and-mouse game with the makers of Trickbot, who quickly rebuilt the botnet but used other strains of malware in their arsenal to attack hospitals last week, Kennelly says. In those attacks, Trickbot makers deployed malware on behalf of other cybercriminals like the Russian speaking hacker group UNC 1878, according to security analysts and US officials.
Security experts told Business Insider that the hackers' tenacity is a sign that their operations are unlikely to be completely thwarted by Election Day. It's is also another sign that hackers and their malware have grown more formidable, even against security giants like Microsoft.
"Microsoft's disruption of the TrickBot botnet was highly successful, however there was evidence shortly thereafter suggesting that the botnet was quickly rebuilt. Despite this back and forth, it appears as though there are ongoing attempts to disrupt the TrickBot botnet's infrastructure which are proving successful, at least for the time being," Kennelly told Business Insider, adding that it's unknown whether Microsoft is behind the latest efforts.
Microsoft did not provide an on-the-record statement in response to Business Insider's request for comment. We will update this article if that changes.
The resurgence of the group that made Trickbot raises concerns about Election Day — experts have long warned that ransomware could be used against local elections offices to cause chaos on Election Day, and Microsoft explicitly said that it aimed to disrupt Trickbot near to the election to fend off such attacks. The US Military's Cyber Command also assisted with the effort specifically to protect voting systems from Trickbot, The Washington Post reported.
"Our disruption is intended to disable Trickbot's infrastructure and make it difficult for its operators to enable ransomware attacks, which have been identified as one of the biggest threats to the upcoming U.S. elections," Microsoft VP for security Tom Burt said in a blog post last month, claiming that Microsoft disabled 94% of Trickbot's infrastructure globally.
Burt also warned that even if Trickbot is handicapped, the botnet's developers could quickly find other tactics, noting that "there is not always a straight line to success."
Some cybersecurity experts questioned whether Microsoft's announcement on disrupting Trickbot overstated their success at neutralizing the cybercriminals behind the bot network.
"The Trickbot disruption efforts looked more like a PR stunt rather than a takedown operation. By now it's pretty clear to everyone that Trickbot is not going away anytime soon," Stefan Tanase, a cybercrime analyst, told Business Insider.
Other experts say they believe Microsoft's disruption of Trickbot was effective, but that the recent surge in attacks shows hackers' resourcefulness in evading such crackdowns. The FBI said cybercriminals behind the recent attacks on US hospitals used Trickbot in conjunction with a strain of ransomware called Ryuk and a different botnet called BazarLoader, which could ultimately replace long-established botnets like Trickbot.
"There is no doubt that the actions by Microsoft and US Cyber Command significantly disrupted Trickbot. The series of attacks on hospitals may have been the result of old and previously unexploded ordnance being detonated via Trickbot's remaining infrastructure," Brett Callow, a researcher with the cybersecurity firm Emsisoft, told Business Insider.
Hacker groups could also be retaliating against the attempted Trickbot takedown by Microsoft and the US government, according to Caleb Barlow, CEO of the security firm CynergisTek.
"The timing of this threat raises many eyebrows, occurring just two weeks after an attempted takedown of TrickBot by the U.S. government and Microsoft and less than a week out from the Presidential election," Barlow said via email. "TrickBot may have been significantly disrupted but it is also clearly resilient."
These experts and others say they see ransomware as an Election Day threat because they could be used to cause chaos or force local governments to pay hefty ransoms.
The ransomware works by handicapping victims' computer systems to extort them. Cybercriminals send their victims phishing links that appear to be trustworthy in order to get their login credentials; from there, they break into an organizations' computer systems and install the ransomware, which locks down the systems until victims pay a ransom.
There's no indication that hackers would be able to alter vote tallies with the ransomware; rather, cyberattacks could disrupt local elections offices' administrative processes to slow the counting of ballots or make it harder for officials to announce the results of elections. US officials said last month that Russian hackers have targeted local elections offices, stealing voter data from at least two servers, possibly with the intent of disrupting their operations.
The recent string of ransomware attacks appear to be purely profit-motivated, experts said, but cybercriminals may see voting systems on Election Day as a highly profitable target given their crucial function.
"The ransomware business is all about putting pressure on the victim to pay. The more critical the target is, the easier it is for cybercriminals to extort money," Tanase said.
Ransomware attacks have risen by 50% over the past three months, according to security firm Check Point, and experts say ransomware attacks will continue to proliferate as long as victims keep paying ransoms. Some firms have called on lawmakers to ban ransom payments in order to choke out incentives for criminals.
Updated Nov. 2, 2019 at 7:16 p.m.: This story was updated to include new details from security analysts about Microsoft's fight against Trickbot's makers.