Paul Vixie of Farsight Security said via email "experience tells me it won't scale — there are too many IPs behind uncooperative national borders". And the cybersecurity firm Intel 471 reported no significant hit on Trickbot operations Monday and predicted "little medium- to long-term impact" in a report shared with The Associated Press.
But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said that a temporary Trickbot disruption could, at least during the election, limit attacks and prevent the activation of ransomware on systems already infected.
The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by the US military's Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking online services to deny hosting to domains used by command-and-control servers.
A US policy called "persistent engagement" authorises US cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation jockeys during US midterm elections in 2018.
Created in 2016 and used by a loose consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware in the computers of unwitting individuals and websites. In recent months, its operators have been increasingly renting it out to other criminals who have used it to sow ransomware, which encrypts data on target networks, crippling them until the victims pay up.
One of the biggest reported victims of a ransomware variety sowed by Trickbot called Ryuk was the hospital chain Universal Health Services, which said all 250 of its US facilities were hobbled in an attack last month that forced doctors and nurses to resort to paper and pencil.
US Department of Homeland Security officials list ransomware as a major threat to the November 3 presidential election. They fear an attack could freeze up state or local voter registration systems, disrupting voting, or knock out result-reporting websites.
Trickbot is a particularly robust internet nuisance. Called "malware-as-a-service," its modular architecture lets it be used as a delivery mechanism for a wide array of criminal activity. It began mostly as a so-called banking Trojan that attempts to steal credentials from online bank account so criminals can fraudulently transfer cash.
But recently, researchers have noted a rise in Trickbot's use in ransomware attacks targeting everything from municipal and state governments to school districts and hospitals. Ryuk and another type of ransomware called Conti — also distributed via Trickbot — dominated attacks on the US public sector in September, said Callow of Emsisoft.
Alex Holden, founder of Milwaukee-based Hold Security, tracks Trickbot's operators closely and said the reported Cybercom disruption — involving efforts to confuse its configuration through code injections — succeeded in temporarily breaking down communications between command-and-control servers and most of the bots.
"But that's hardly a decisive victory," he said, adding that the botnet rebounded with new victims and ransomware.
The disruption — in two waves that began September 22 — was first reported by cybersecurity journalist Brian Krebs.
The AP could not immediately confirm the reported Cybercom involvement.
- Associated Press
