{
	"id": "0e7c9843-93fb-4782-b4f0-40292f8942ab",
	"created_at": "2026-04-06T00:10:39.2823Z",
	"updated_at": "2026-04-10T13:12:10.736186Z",
	"deleted_at": null,
	"sha1_hash": "a33fdfef934a6d6353c199ae46b41bc4d2cc533a",
	"title": "Trickbot, Phishing, Ransomware \u0026 Elections",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105205,
	"plain_text": "Trickbot, Phishing, Ransomware \u0026 Elections\r\nBy Adam Caudill\r\nPublished: 2020-10-19 · Archived: 2026-04-02 11:51:19 UTC\r\nThe last few weeks have been rough for the operators of the Trickbot botnet, a malware-as-a-service operation,\r\nwho are facing coordinated attacks from both the US Cyber Command and Microsoft, with the aid of a number of\r\npartners. Trickbot's operators went from successful, with over a million infections, to becoming the target of the\r\nUS military and major corporations — and Reuters is reporting that indictments resulting from an FBI\r\ninvestigation will be unsealed soon.\r\nThis story that has a bit of everything: international intrigue, attacks on healthcare providers, phishing at a vast\r\nscale (using topics such as COVID-19 and Black Lives Matter as lures), the Internet of Things, counter-hacking,\r\nransomware, stolen government secrets, novel legal techniques, and even a potential election impact. There is\r\nenough here for a techno-thriller.\r\nWhile Trickbot has taken some hard punches, it's probably not done. Its command and control (C2) servers are\r\nspread across the world, some far from the reach of the court order that Microsoft is using to take many of them\r\ndown. There are also signs that the people behind Trickbot are fighting back, bringing new servers up as others go\r\ndown. Disrupting a botnet is one thing, but killing it is another.\r\nLike many botnets, Trickbot has a history of being used for a variety of things, sending phishing emails to spread\r\nfurther, capturing credentials from victims' browsers, and distributing ransomware (Ryuk, in this case) —\r\nencrypting files and demanding payment for their return. As is often the case, the full harm caused by a botnet like\r\nthis is hard to quantify, but with over a million infections, it's safe to say the harm has been substantial. And\r\nremember that one of the victims was a major healthcare provider. While the impact on the provider's level of\r\nclear isn't clear today, one must wonder if health outcomes were affected.\r\nA Novel Legal Approach\r\nMicrosoft has leveraged the courts to take down other botnets, though this time it used a new legal maneuver:\r\ncopyright violation. To secure the order to take down the IP addresses used by the Trickbot C2 servers, Microsoft\r\npointed out that all programs that run on Windows require the use of the Windows SDK (for example, the header\r\nfiles for the Windows API), and the SDK's license includes a provision that prohibits its use \"in malicious,\r\ndeceptive, or unlawful programs.\" In addition, Microsoft claimed trademark infringement and other violations of\r\nlaw, as it has done in previous cases.\r\nIn essence, the argument is that any program that targets Windows that is malicious, deceptive, or illegal violates\r\nthe license associated with the SDK, and thus is a violation of Microsoft's copyright. This has provided Microsoft\r\n(and the makers of other operating systems) a new method to fight the creators of malware.\r\nIt's a Phish … Again\r\nOften, the route to infection starts with an email, something catchy or important in the subject line, and an\r\nattachment or a link to a file. If the file is opened, the victim is tricked into activating a malicious macro, and then\r\nhttps://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190\r\nPage 1 of 3\n\nthe system is compromised. Security tools are disabled, data is stolen from a variety of sources, and attacks\r\nagainst other systems are launched.\r\nPhishing — from mass emails sent indiscriminately to spear-phishing that's highly targeted and customized — is a\r\nthreat that year after year continues to be among the largest threats to both business and end users. This\r\nomnipresent threat is one that everyone should be aware of and take steps to protect themselves from. Here are\r\nseveral ways to do this:\r\nEmail systems should be set up to scan for and block known threats.\r\nUser's systems should be configured to disable dangerous features, such as macros in Office documents\r\n(unless absolutely needed).\r\nEmail attachments should be treated as suspicious by default; users should never assume that any\r\nattachment is trustworthy unless they are expecting it and it's coming from a trusted sender. Assume it's\r\nmalicious unless there's a good reason to believe otherwise.\r\nJust because it looks like it's from someone recognizable doesn't mean it is; anything that looks odd or\r\nsuspicious should be confirmed out-of-band before clicking links or opening attachments.\r\nIt's always better to err on the side of caution when dealing with email, especially when anything seems off.\r\nRansomware Attacks \u0026 Election Security\r\nIn the United States, there are more than 10,000 separate election jurisdictions, using some combination of city,\r\ncounty, and state technical resources. Each of these represents a target for organized ransomware operations,\r\ntargets that offer increasing value as the election approaches.\r\nAs vulnerable targets are found, operators may wait until the time is best, when it’s most lucrative to strike. As we\r\napproach an election that may bring both record turnouts and controversy, any delays or disruptions are sure to\r\ndraw nationwide attention and raise questions about the integrity of the outcome. This means that anything that is\r\neven loosely related to elections is a prime target, and officials would be desperate to recover as quickly as\r\npossible.\r\nUnderstanding this tactic of ransomware operators makes it easy to see why it’s important to act sooner rather than\r\nlater.\r\nThe Future of Trickbot\r\nTrickbot itself may or may not survive this effort to end its attacks, but the techniques will and the code behind it\r\nmay — and once it's gone, there will be a replacement. Criminals are making a significant amount of money with\r\nthese operations, and there will always be another one ready to replace the one that gets shut down.\r\nWhile this disruption is a real victory, vigilance is still required.\r\nAbout the Author\r\nhttps://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190\r\nPage 2 of 3\n\nSecurity Architect, 1Password\r\nAdam Caudill is a security architect at 1Password, and has 20 years of experience in research, security and\r\nsoftware development. Adam's main areas of focus include application security, secure communications and\r\ncryptography. He is also an active blogger, speaker and trainer, open source contributor, and advocate for user\r\nprivacy and protection.\r\nSource: https://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190\r\nhttps://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190"
	],
	"report_names": [
		"1339190"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a33fdfef934a6d6353c199ae46b41bc4d2cc533a.pdf",
		"text": "https://archive.orkl.eu/a33fdfef934a6d6353c199ae46b41bc4d2cc533a.txt",
		"img": "https://archive.orkl.eu/a33fdfef934a6d6353c199ae46b41bc4d2cc533a.jpg"
	}
}