Microsoft takes over to disable Trickbot before 2020 elections

microsoft takes over to take down trickbot 2020 images

While America’s government hasn’t been paying as much attention to our election security, Microsoft has jumped in to save the 2020 Presidential election as they announced legal action Monday wanting to disrupt a major cybercrime digital network that has taken over more than 1 million zombie computers to empty bank accounts and put ransomware on millions more unsuspecting computer systems. Experts have long considered this a major threat to the election.

Bringing Back Gold Standard

Microsoft shocked many back in 2018 when they retired their gold standard Microsoft Security Intelligence Report which provided a yearly overview of major events and trends in cyber-security and threats. They brought it back two weeks just in time to take action and make voters aware of vulnerabilities in America’s election system. Email phishing in the enterprise sector continues to grow as hackers main way in. The Top 5 most spoofed known brands include Amazon, Apple, Microsoft, UPS, and Zoom. If you get an e-mail from one of these companies, look at the actual return e-mail before opening it.

In 2019, Microsoft was able to block over 13 billion malicious and suspicious e-mails with more than 1 billion of those containing URLS set up solely for the purpose of launching a widescale phishing attack.


The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with an order that Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers. “We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”

Cybersecurity experts said that Microsoft’s use of a U.S. court order to persuade internet providers to take down the botnet servers is laudable. But they add that it’s not apt to be successful because too many won’t comply and because Trickbot’s operators have a decentralized fall-back system and employ encrypted routing.

Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders.” And the cybersecurity firm Intel 471 reported no significant hit on Trickbot operations Monday and predicted ”little medium- to long-term impact” in a report shared with The Associated Press.

But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said that a temporary Trickbot disruption could, at least during the election, limit attacks and prevent the activation of ransomware on systems already infected.

Cyber Command Attempt

The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by the U.S. military’s Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking providers to deny hosting to domains used by command-and-control servers.

A U.S. policy called “persistent engagement” authorizes U.S. cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation jockeys during U.S. midterm elections in 2018.

how trickbot enterprise worked

Trickbot Created In 2016

Created in 2016 and used by a loose consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware in the computers of unwitting individuals and websites. In recent months, its operators have been increasingly renting it out to other criminals who have used it to sow ransomware, which encrypts data on target networks, crippling them until the victims pay up.

One of the biggest reported victims of a ransomware variety sowed by Trickbot called Ryuk was the hospital chain Universal Health Services, which said all 250 of its U.S. facilities were hobbled in an attack last month that forced doctors and nurses to resort to paper and pencil.

Major Threat

U.S. Department of Homeland Security officials list ransomware as a major threat to the Nov. 3 presidential election. They fear an attack could freeze up state or local voter registration systems, disrupting voting, or knock out result-reporting websites.

While cybersecurity experts say the operators of Trickbot and affiliated digital crime syndicates are Russian speakers mostly based in eastern Europe, they caution that they are motivated by profit, not politics. They do, however, operate with impunity with no Kremlin interference as long as their targets are abroad.


“In today’s world, Trickbot is a type of a plague,” said Alex Holden, founder of Milwaukee-based Hold Security, which tracks its activity closely on the dark web, “and a government that ignores a global plague is more than complacent.”

Trickbot is “malware-as-a-service,” its modular architecture lets it be used as a delivery mechanism for a wide array of criminal activity. It began mostly as a so-called banking Trojan that attempts to steal credentials from online bank account so criminals can fraudulently transfer cash.

But recently, researchers have noted a rise in Trickbot’s use in ransomware attacks targeting everything from municipal and state governments to school districts and hospitals. Ryuk and another type of ransomware called Conti — also distributed via Trickbot — dominated attacks on the U.S. public sector in September, said Callow of Emsisoft.

Holden said the reported Cybercom disruption — involving efforts to confuse its configuration through code injections — succeeded in temporarily breaking down communications between command-and-control servers and most of the bots.

“But that’s hardly a decisive victory,” he said, adding that the botnet rebounded with new victims and ransomware.

The disruption that hit in two waves began Sept. 22.

microsoft digital crimes unit fighting cybercrime ransomeware for 2020 elections

How Microsoft’s Digital Crimes Unit Works

The Digital Crimes Unit (DCU) is leading the fight against cybercrime to protect customers and promote trust in Microsoft. We fight cybercrime globally through the innovative application of technology, forensics, civil actions, criminal referrals, and public/private partnerships while protecting the security and privacy of our customers.

The Digital Crimes Unit is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals located in 20 countries.

DCU uses advanced analytics and artificial intelligence to identify, investigate, disrupt, and dismantle sophisticated online criminal networks.

Cybercrime is borderless and impacts victims across the globe. Law enforcement’s authority can be constrained by jurisdiction and the limitations of legal processes used to request information beyond national borders. Fighting cybercrime requires strong international public and private partnerships.

We partner with local and global law enforcement, security firms, researchers, NGOs, and customers. Through our partnerships we can act faster to stop harm to customers and develop evidence that law enforcement can use to drive arrests and convictions.

Microsoft’s Digital Crimes Unit Focues On These Areas:

Cloud Crime and Malware In partnership with threat intelligence and security experts across Microsoft, the DCU applies unique legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state sponsored activity.

  • Since 2010, the DCU has collaborated with law enforcement and other partners on 22 malware disruptions, resulting in over 500 million devices rescued from cybercriminals.
  • The DCU’s malware disruption operations are powered by Azure, providing unrivaled computing power.
  • Traffic from victim devices that once communicated to criminal servers is safely rerouted to Microsoft’s Cyber Threat Intelligence Program (CTIP). Victim devices are cleaned through antivirus programs such as Windows Defender Antivirus or intelligence is shared with Computer Emergency Response Teams (CERTs) and Internet Service Providers (ISPs) around the world to notify victims and assist with removal of the malware.


  • In 2016, the DCU used a civil action to disrupt a nation-state actor called Strontium, or Fancy Bear, that had leveraged Microsoft-like domains for spear phishing attacks, enabling the criminals to install a remote access kit that could be used to exfiltrate sensitive data.
  • The DCU obtained a court order to re-direct the Microsoft-like domains leveraged by Strontium to a sink-hole. We were able to protect potential victims from losing their data to cybercriminals.
  • We were also able to stop continuing spear-phishing attacks by Strontium by seeking appointment of a Special Master to expedite additional motions as new domains were registered by Strontium, with a response from the court in 24 hours or less.

Global Strategic Enforcement

The DCU’s Global Strategic Enforcement Team (GSET) identifies, investigates, and takes enforcement against sophisticated global online criminal networks who specialize in business email compromise (BEC), stealing credentials, and online fraud.

  • 90% of intrusions begin with an email. BEC is a growing threat to our customers and online commerce. The DCU is investing heavily in its enforcement program to identify, investigate, and disrupt BEC attacks while supporting the prosecution of responsible cybercriminals.
  • Numerous schemes are designed to improperly access and misuse customer account credentials. Cybercriminals frequently seek to compromise accounts to fraudulently transact business or facilitate further cybercrime.
  • GSET tackles online fraud to protect our customers and services. Cybercriminals frequently seek to fraudulently gain access to Microsoft programs that are intended to benefit students, underserved communities, and aspiring entrepreneurs. Online fraud schemes not only hurt Microsoft but also people and communities in most need of support.
how cybercriminals fake ceo accounts to get access

Tech Support Fraud

The DCU leverages data analytics and machine learning to investigate criminal networks engaged in tech support fraud. We take legal action and refer cases to law enforcement and apply what is learned to strengthen our products and services and educate consumers on how to stay safe online.

  • According to a 2018 Microsoft global online survey (, 3 out of 5 people globally have experienced a tech support scam.
  • Scammers attempt to convince victims to provide remote access to their devices by impersonating a wide range of reputable technology companies, such as Apple, Google and Microsoft. Victims spend hundreds of dollars on these phony tech support services.
  • Leveraging complaints received directly from consumers and pop-up advertisements scraped and classified through machine learning tools, Microsoft investigates criminal networks behind this global scam. We refer cases to law enforcement and take legal actions ourselves to protect our customers.
  • Microsoft helps to educate consumers on how to stay safe online on the Windows Security Support site ( and through partnerships with trusted organizations.

Online Child Exploitation

Microsoft equips technology companies and others with PhotoDNA to help detect, disrupt, and report the distribution of child sexual abuse images and videos.

  • In 2009, Microsoft partnered with Dartmouth college to develop the hash matching technology known as PhotoDNA. This hashing and matching process makes it possible to effectively detect and disrupt illegal images of child sexual exploitation from the hundreds to billions of images that may be uploaded to an application or online platform daily. Over 150 organizations across the globe are using PhotoDNA today.
  • PhotoDNA technology resulted in more than 10 million CyberTips to the National Center for Missing & Exploited Children (NCMEC) in 2017 alone.
  • Microsoft continues to innovate to combat online child exploitation including developing PhotoDNA in the cloud and applying PhotoDNA to video.