How to Protect Yourself Against Rise of Trickbot Ransomware

The infamous Trickbot ransomware botnet is on the rise, according to reports from multiple security research firms.

After being dismantled in a joint effort by Microsoft and the Pentagon, the Russian-speaking group of cybercriminals is spreading its malicious software once again, and security research firms are classifying it as a “critical” threat.

Where does it usually show up? Well, in your inbox, of course — the most vulnerable place on the internet.

What is Trickbot?

Trickbot is a botnet with over a million “zombie” computers. Botnets work by infecting computers with malware to add them to a distributed network of other computers. With the malicious software operating, hackers are able to pool the collective resources of the network to launch ransomware attacks, distributed denial of service attacks, and more.

Trickbot is one of the more infamous examples, operating out of numerous locations in Eastern Europe, including Russia, Ukraine, and Belarus. As reported by The Daily Beast, the hacker group and the botnet after which they’re named is on the rise again.

Computers become infected mainly through phishing emails, which usually accuse the reader of committing some sort of crime. After clicking one of the links in the email, the hackers are able to execute malicious code and infect your computer, potentially stealing login information or banking credentials. The network then lobs ransomware attacks against high-value targets — usually businesses and wealthy individuals — to extort them.

Bitdefender, one of the leading antivirus services available, says that “Trickbot is more active than ever.” In May, Bitdefender’s detection systems started picking up increased signs of the tvncDll module, which is an updated version of the vncDll module that Trickbot has used in the past. Bitdefender says this module is used for monitoring potential targets, suggesting that Trickbot is planning another string of attacks.

Security research firm Fortinet has also identified a new strain of ransomware called Diavol. As is typical of ransomware, Diavol encrypts the files on your computer and holds them for ransom. With everything locked, you’ll only have access to a text document that asks you to download a browser and pay a ransom to restore your files. Typically, the files aren’t restored after the ransom is paid, as the criminals continue to extort your data.

Fortinet identified the new strain as a “critical” threat, and it’s easy to see why. Trickbot was mostly dismantled by Microsoft and the Pentagon prior to the 2020 U.S. election.

Citing fears of interference, Microsoft was able to eliminate about 94% of Trickbot’s critical infrastructure, largely taking the botnet offline. It didn’t get rid of everything, though, and recent reports show that the group has been quick to rebuild.

How to keep yourself safe

A man's hands typing on a laptop.

Trickbot doesn’t exploit a single vulnerability, so the only way to keep yourself safe is to follow good cybersecurity practices. The most important thing is to regularly update your operating system. Windows updates patch security vulnerabilities and update the list of known threats. If you’re staying on top of Windows updates, you’ll be protected from threats as security researchers are able to identify them.

It’s important to be careful with your email inbox, too. As mentioned, Trickbot is able to spread through malicious links in emails. Usually citing some small crime, the email will ask you to click on a link to pay a fine or to provide proof you didn’t commit the crime. After you click the link, the software is able to infect your machine and potentially spread through your network to other machines.

Although most phishing emails accuse users of committing a crime, that’s not all you have to look out for. We recommend avoiding links from email addresses you don’t recognize altogether. Once you click, there’s no turning back.

If you’re still worried, you can also invest in or at least set up an antivirus program. Windows Defender, which is included for free with Windows, will protect you from most threats. Windows also includes ransomware protection. However, services like Bitdefender and Avira employ behavioral detection systems to identify new forms of malware based on how they act on your machine.

Editors’ Choice

Repost: Original Source and Author Link


Microsoft did door-to-door router replacements to stop Trickbot malware

Microsoft says it’s gone door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America, hoping to squash an international hacking group. The Daily Beast reported the detail in an article about the group, which is an ongoing target for US Cyber Command as well as information security companies like Microsoft.

The Daily Beast reports that the hacking ring — also known as Trickbot and based in Russia, Belarus, Ukraine, and Suriname — is a persistent presence online. The group uses compromised computers as a massive botnet and runs ransomware attacks and other illegal operations. Trickbot is known to hijack routers and internet of things devices that are often easy to infect without owners realizing it. Eradicating malware from routers can be particularly difficult for users, making in-person replacement a surprisingly effective tactic.

Law enforcement agencies and companies have made some recent inroads into tackling Trickbot. The Justice Department charged a woman who allegedly helped develop it last month, and Microsoft boasted in 2020 that it had cut off 94 percent of the group’s server infrastructure, aiming to prevent any attacks on the US election. But Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, told The Daily Beast that Trickbot remained a “continuing challenge.” That’s where the router replacement comes in — apparently as a partnership with local internet service providers.

Trickbot has been allegedly behind attacks on hospitals, schools, and governments, stealing login credentials and locking computer systems to demand payment. Microsoft’s door-to-door replacement operation is just one piece of the attempts to stop it, but it’s an interesting ground-level tactic in the malware fight.

Repost: Original Source and Author Link


Justice Department has charged a Latvian woman it says helped develop Trickbot malware

The US Department of Justice has charged a Latvian woman for her role in allegedly developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments, the agency said in a news release.

The DOJ alleges that Alla Witte was part of a criminal organization known as the Trickbot Group that operated in Russia, Belarus, Ukraine, and Suriname. She allegedly helped develop the malware which was used to enable ransomware demands and payments. Victims would receive a notice that their computers were encrypted, the DOJ said, and were directed to buy special software through a bitcoin address linked to the Trickbot Group to have their files decrypted.

According to the DOJ, the Trickbot malware was designed to capture online banking login credentials to gain access to other personal information including credit card numbers, emails, passwords, Social Security numbers, and addresses. The group allegedly used stolen personal information “to gain access to online bank accounts, execute unauthorized electronic funds transfers and launder the money through U.S. and foreign beneficiary accounts,” the DOJ said.

Federal law enforcement agencies warned hospitals and healthcare providers last October of a credible ransomware threat by attackers using Trickbot to deploy ransomware such as Ryuk and Conti.

Witte was arrested February 6th in Miami. She is charged with 19 counts including conspiracy to commit computer fraud and aggravated identity theft, conspiracy to commit wire and bank fraud affecting a financial institution, aggravated identity theft, and conspiracy to commit money laundering.

Repost: Original Source and Author Link