{
	"id": "6b17c522-cd9e-446d-b8d3-da042e6eac06",
	"created_at": "2026-04-06T00:10:58.77315Z",
	"updated_at": "2026-04-10T03:22:06.508872Z",
	"deleted_at": null,
	"sha1_hash": "31d9c2e5fed8c75bfba49e3aaf32802b147c9569",
	"title": "New action to combat ransomware ahead of U.S. elections  - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46916,
	"plain_text": "New action to combat ransomware ahead of U.S. elections  -\r\nMicrosoft On the Issues\r\nBy Tom Burt\r\nPublished: 2020-10-12 · Archived: 2026-04-05 18:00:02 UTC\r\nToday we took action to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific\r\ndistributors of ransomware.\r\nAs the United States government and independent experts have warned, ransomware is one of the largest threats to\r\nthe upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls\r\nor report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.\r\nWe disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership\r\nwith telecommunications providers around the world. We have now cut off key infrastructure so those operating\r\nTrickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer\r\nsystems.\r\nIn addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range\r\nof organizations including financial services institutions, government agencies, healthcare facilities, businesses\r\nand universities from the various malware infections Trickbot enabled.\r\nThe Trickbot botnet\r\nTrickbot has infected over a million computing devices around the world since late 2016. While the exact identity\r\nof the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of\r\nobjectives.\r\nIn the course of Microsoft’s investigation into Trickbot, we analyzed approximately 61,000 samples of Trickbot\r\nmalware. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims\r\nfor the operators’ purposes through a “malware-as-a-service” model. Its operators could provide their customers\r\naccess to infected machines and offer them a delivery mechanism for many forms of malware, including\r\nransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things”\r\ndevices, such as routers, which has extended Trickbot’s reach into households and organizations.\r\nIn addition to maintaining modular capabilities for a variety of end purposes, the operators have proven adept at\r\nchanging techniques based on developments in society. Trickbot’s spam and spear phishing campaigns used to\r\ndistribute malware have included topics such as Black Lives Matter and COVID-19, enticing people to click on\r\nmalicious documents or links. Based on the data we see through Microsoft Office 365 Advanced Threat Detection,\r\nTrickbot has been the most prolific malware operation using COVID-19 themed lures.\r\nDisruption components and new legal strategy\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/\r\nPage 1 of 3\n\nWe took today’s action after the United States District Court for the Eastern District of Virginia granted our\r\nrequest for a court order to halt Trickbot’s operations.\r\nDuring the investigation that underpinned our case, we were able to identify operational details including the\r\ninfrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk\r\nwith each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we\r\nobserved the infected computers connect to and receive instructions from command and control servers, we were\r\nable to identify the precise IP addresses of those servers. With this evidence, the court granted approval for\r\nMicrosoft and our partners to disable the IP addresses, render the content stored on the command and control\r\nservers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to\r\npurchase or lease additional servers.\r\nTo execute this action, Microsoft formed an international group of industry and telecommunications providers.\r\nOur Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse\r\nengineering, with additional data and insights to strengthen our legal case from a global network of partners\r\nincluding FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition\r\nto our Microsoft Defender team. Further action to remediate victims will be supported by internet service\r\nproviders (ISPs) and computer emergency readiness teams (CERTs) around the world.\r\nThis action also represents a new legal approach that our DCU is using for the first time. Our case includes\r\ncopyright claims against Trickbot’s malicious use of our software code. This approach is an important\r\ndevelopment in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in\r\nthe large number of countries around the world that have these laws in place.\r\nWe fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our\r\npartners to monitor their activities and take additional legal and technical steps to stop them.\r\nImpact to additional sectors\r\nIn addition to its threat to elections, Trickbot is known for using malware to reach online banking websites and\r\nsteal funds from people and financial institutions. Financial institutions ranging from global banks and payments\r\nprocessors to regional credit unions have been targeted by Trickbot. For this reason, the Financial Services\r\nInformation Sharing and Analysis Center (FS-ISAC) has been a critical partner and a co-plaintiff in our legal\r\naction.\r\nWhen someone using a Trickbot-infected computer attempts to log onto a financial institutions website, Trickbot\r\nexecutes a series of activities to secretly hijack the user’s web browser, capture the person’s online financial login\r\ncredentials and other personal information, and send that information to the criminal operators. People are\r\nunaware of Trickbot’s activity as the operators have designed it to hide itself. After Trickbot captures login\r\ncredentials and personal information, operators use that information to access people’s bank accounts. People\r\nexperience a normal login process and are typically unaware of the underlying surveillance and theft.\r\nTrickbot is also known to deliver the Ryuk crypto-ransomware that has been used in attacks against a wide range\r\nof public and private institutions. Ransomware can have devastating effects. Most recently, it crippled the IT\r\nnetwork of a German hospital resulting in the death of a woman seeking emergency treatment. Ryuk is a\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/\r\nPage 2 of 3\n\nsophisticated crypto-ransomware because it identifies and encrypts network files and disables Windows System\r\nRestore to prevent people from being able to recover from the attack without external backups. Ryuk has been\r\nattacking organizations, including municipal governments, state courts, hospitals, nursing homes, enterprises and\r\nlarge universities. For example, Ryuk has been attributed to attacks targeting a contractor for the Department of\r\nDefense, the North Carolina city of Durham, an IT provider for 110 nursing homes, and a number of hospitals\r\nduring the COVID-19 pandemic.\r\nElection security and guarding against malware\r\nAs we shared last month in the Microsoft Digital Defense Report, ransomware is on the rise. For organizations\r\ninvolved in the elections wanting protection from ransomware and other threats, we offer the threat notification\r\nservice AccountGuard at no cost which now protects more than two million email accounts around the world.\r\nWe’ve completed more than 1,500 AccountGuard nation-state attack notifications to AccountGuard enrollees to\r\ndate. We also offer Microsoft 365 for Campaigns, an easy-to-set-up version of Microsoft 365 that comes with\r\nintelligent and secure default settings at an affordable price. Finally, Election Security Advisors provide proactive\r\nresiliency services and reactive incident response for campaigns and election officials, also at an affordable price.\r\nOur Digital Crimes Unit will also continue to engage in operations to protect organizations involved in the\r\ndemocratic process and our entire customer base. Since 2010, Microsoft, through the Digital Crimes Unit, has\r\ncollaborated with law enforcement and other partners on 23 malware and nation-state domain disruptions,\r\nresulting in over 500 million devices rescued from cybercriminals. With this civil action, we have leveraged a new\r\nlegal strategy that allows us to enforce copyright law to prevent Microsoft infrastructure, in this case our software\r\ncode, from being used to commit crime. As copyright law is more common than computer crime law, this new\r\napproach helps us pursue bad actors in more jurisdictions around the world.\r\nTo make sure your computer is free of malware, visit support.microsoft.com/botnets.\r\nTags: cybersecurity, Defending Democracy Program, ElectionGuard, ransomware, trickbot\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/"
	],
	"report_names": [
		"trickbot-ransomware-cyberthreat-us-elections"
	],
	"threat_actors": [],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31d9c2e5fed8c75bfba49e3aaf32802b147c9569.pdf",
		"text": "https://archive.orkl.eu/31d9c2e5fed8c75bfba49e3aaf32802b147c9569.txt",
		"img": "https://archive.orkl.eu/31d9c2e5fed8c75bfba49e3aaf32802b147c9569.jpg"
	}
}