As GeekWire reported, Microsoft has announced that it used a court order and technical collaboration with telecommunications providers to disrupt Trickbot, a ransomware distributor that could threaten the integrity of the upcoming elections.
Microsoft noted in a blog post,
As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.
Microsoft said that Trickbot had infected over a million computer devices globally since 2016. The bot’s operators are believed to serve both criminals and national governments.
Trickbot has used malware to steal money from banks and individuals, by hijacking the browsers of legitimate users.
Trickbot ransomware has even been used to commit murder. As Microsoft noted, it “crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment.”
According to Microsoft,
What makes [Trickbot] so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.
Trickbot’s phishing campaigns are often based on “breaking news” topics such as Black Lives Matter and COVID-19.
Microsoft was able to identify the IP addresses of Trickbot’s servers. It then obtained a court order to disable the addresses.
In its court action, Microsoft used several arguments arising out of its intellectual property (IP) rights.
Microsoft argued in its court filings that
by damaging its reputation, brands, and customer goodwill, Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered, and controlled by Trickbot, the Windows operating system ceases to operate normally and become tools for Defendants to conduct their theft.
Additionally, Microsoft claimed,
Users subject to the negative effects of these malicious applications incorrectly believe that Microsoft and Windows are the source of their computing device problems. There is a great risk that users may attribute this problem to Microsoft and associate these problems with Microsoft’s Windows products, thereby diluting and tarnishing the value of the Microsoft and Windows trademarks and brands.
Microsoft successfully argued that Trickbot was infringing Microsoft’s software copyrights by copying and using Microsoft’s software development kit (SDK) for malicious purposes.
ZDNet referred to this IP-based strategy as a “genius legal move”:
In previous cases, Microsoft or law enforcement usually had to present evidence and be ready to prove that the malware was incurring financial damages to victims in a certain jurisdiction, steps that usually meant identifying and contacting victims.
The new approach focused on the misuse of its Windows SDK code is both easier to prove and argue, but it can also be used in any jurisdiction, providing Microsoft’s legal team with a more agile approach to going after malware gangs — which is why Microsoft is likely to reuse it for faster crackdown in the future.
Just like the haiku above, we like to keep our posts short and sweet. Hopefully, you found this bite-sized information helpful. If you would like more information, please do not hesitate to contact us here.