- Cybercriminals carried out a string of ransomware attacks against US hospitals last week and could be poised to launch even more, the FBI has warned.
- The attacks were carried out using Trickbot, a massive network of bots that has for years evaded efforts by security firms and governments to shut it down.
- The wave of Trickbot attacks last week was surprising, as Microsoft announced last month that it majorly disrupted the bot network by working with the US military, taking 94% of its infrastructure offline.
- Cybersecurity experts say the events show Trickbot’s resiliency, and build on longstanding fears that the bot network could be used to target voting infrastructure, potentially making it more difficult to count ballots, on Election Day.
- Visit Business Insider’s homepage for more stories.
Last month, Microsoft announced it had won a major victory in the fight against cybercrime. The company said in mid-October that it had thwarted Trickbot — a stubborn malware network that’s been used to infect critical computer systems, often shutting them down for ransom. Experts were relieved by the announcement; Trickbot, they had warned, could be used to target voting systems and cause chaos on Election Day.
But less than two weeks later, Trickbot was back.
Cybercriminals used Trickbot in conjunction with other viruses to carry out a wave of attacks against US hospitals last week, disrupting their computer systems and delaying surgeries. More attacks carried out by the same group could be looming, the FBI said in a warning.
Its renewal raises new questions about the strength and scale of Trickbot, as well as the effectiveness of Microsoft’s tactics in combating it.
Trickbot’s quick resurgence also raises concerns about Election Day — experts have long warned that networks like Trickbot could be used to target voting systems to cause chaos on Election Day, and Microsoft explicitly said that it aimed to disrupt Trickbot near to the election to fend off such attacks. The US Military’s Cyber Command also assisted with the effort specifically to protect voting systems from Trickbot, The Washington Post reported.
“Our disruption is intended to disable Trickbot’s infrastructure and make it difficult for its operators to enable ransomware attacks, which have been identified as one of the biggest threats to the upcoming U.S. elections,” Microsoft VP for security Tom Burt said in a blog post last month, claiming that Microsoft disabled 94% of Trickbot’s infrastructure globally.
Security experts told Business Insider that Trickbot’s resilience is a sign that it is unlikely to be thwarted by Election Day. Its resurgence is also another sign that hackers and their malware have grown more formidable, even against security giants like Microsoft.
Microsoft did not provide an on-the-record statement in response to Business Insider’s request for comment. We will update this article if that changes.
“The Trickbot disruption efforts looked more like a PR stunt rather than a takedown operation. By now it’s pretty clear to everyone that Trickbot is not going away anytime soon,” Stefan Tanase, a cybercrime analyst, told Business Insider.
Other experts say they believe Microsoft’s disruption of Trickbot was effective, but that the recent surge in attacks shows hackers’ resourcefulness in evading such crackdowns. The FBI said cybercriminals behind the recent attacks on US hospitals used Trickbot in conjunction with a strain of ransomware called Ryuk and a different botnet called BazarLoader, which could ultimately replace long-established botnets like Trickbot.
“There is no doubt that the actions by Microsoft and US Cyber Command significantly disrupted Trickbot. The series of attacks on hospitals may have been the result of old and previously unexploded ordnance being detonated via Trickbot’s remaining
Hacker groups could also be retaliating against the attempted Trickbot takedown by Microsoft and the US government, according to Caleb Barlow, CEO of the security firm CynergisTek.
“The timing of this threat raises many eyebrows, occurring just two weeks after an attempted takedown of TrickBot by the U.S. government and Microsoft and less than a week out from the Presidential election,” Barlow said via email. “TrickBot may have been significantly disrupted but it is also clearly resilient.”
These experts and others say they see Trickbot and other ransomware as an Election Day threat because they could be used to cause chaos or force local governments to pay hefty ransoms.
The ransomware works by handicapping victims’ computer systems to extort them. Cybercriminals send their victims phishing links that appear to be trustworthy in order to get their login credentials; from there, they break into an organizations’ computer systems and install the ransomware, which locks down the systems until victims pay a ransom.
There’s no indication that hackers would be able to alter vote tallies with the ransomware; rather, cyberattacks could disrupt local elections offices’ administrative processes to slow the counting of ballots or make it harder for officials to announce the results of elections. US officials said last month that Russian hackers have targeted local elections offices, stealing voter data from at least two servers, possibly with the intent of disrupting their operations.
The recent string of ransomware attacks appear to be purely profit-motivated, experts said, but cybercriminals may see voting systems on Election Day as a highly profitable target given their crucial function.
Ransomware attacks have risen by 50% over the past three months, according to security firm Check Point, and experts say ransomware attacks will continue to proliferate as long as victims keep paying ransoms. Some firms have called on lawmakers to ban ransom payments in order to choke out incentives for criminals.
Even if Trickbot were successfully dismantled, cybercriminals would likely find other avenues as long as ransomware hacking remains profitable, according to Kurt Baumgartner, a researcher with cybersecurity firm Kaspersky.
“This group came back with a different bot family known as Bazar which is effectively replacing their Trickbot use,” Baumgartner said. “Unfortunately, their formula for penetrating networks, disrupting them, and coercing for ransom is one that continues to work for them in the US.”