{
	"id": "7132c0d0-beb2-4bcb-a519-9e197cd34647",
	"created_at": "2026-04-06T00:06:27.662786Z",
	"updated_at": "2026-04-10T03:21:01.867011Z",
	"deleted_at": null,
	"sha1_hash": "f0ea2c034719c2450cc1baec0f4ac93156f46223",
	"title": "An update on disruption of Trickbot - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39046,
	"plain_text": "An update on disruption of Trickbot - Microsoft On the Issues\r\nBy Tom Burt\r\nPublished: 2020-10-20 · Archived: 2026-04-05 20:26:13 UTC\r\nLast week, we announced a disruption targeting the botnet Trickbot. Trickbot is a network of servers and infected\r\ndevices run by criminals responsible for a wide range of nefarious activity including the distribution of\r\nransomware which can lock up computer systems. Our disruption is intended to disable Trickbot’s infrastructure\r\nand make it difficult for its operators to enable ransomware attacks, which have been identified as one of the\r\nbiggest threats to the upcoming U.S. elections. We’ve had many requests for updates on the operation, so I’d like\r\nto share more on how it’s going.\r\nAs of October 18, we’ve worked with partners around the world to eliminate 94% of Trickbot’s critical\r\noperational infrastructure including both the command-and-control servers in use at the time our action began and\r\nnew infrastructure Trickbot has attempted to bring online.\r\nHere’s how the numbers break down. We initially identified 69 servers around the world that were core to\r\nTrickbot’s operations, and we disabled 62 of them. The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server\r\ninfrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled\r\nto replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers\r\nthey attempted to add to their infrastructure. We’ve now disabled all but one of these new servers. In sum, from\r\nthe time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as\r\nTrickbot infrastructure around the world.\r\nTo be clear, these numbers will change regularly as we expect action we’ve already taken will continue to impact\r\nthe remaining infrastructure and as we and others continue to take new action between now and the election. This\r\nis challenging work, and there is not always a straight line to success. At the same time, we’re pleased with our\r\nprogress and for several reasons I’m optimistic about the outcomes we can achieve.\r\nFirst, Microsoft and our partners are trying to take a persistent and layered approach to addressing Trickbot’s\r\noperations around the world. This is necessary due to the unique architecture of the Trickbot botnet, and the\r\ncreativity and persistence of the criminals operating it. Since the initial court order we obtained, we’ve gone back\r\nto court and secured subsequent orders to take down the newly activated infrastructure. We will continue to do this\r\nbetween now and election day on November 3. Additionally, our partners and the hosting providers we work with\r\n– who have been crucial to our progress – have been sharing information that has uncovered more command-and-control servers. As we continue to cut off these new servers, our partners are also working to clean and remediate\r\nthe compromised IoT devices, especially routers, that the Trickbot operators are using as non-traditional\r\ncommand-and-control infrastructure. These compromised routers pose a unique challenge for the internet service\r\nproviders (ISPs) as they must simultaneously work to remediate devices while keeping legitimate traffic\r\nuninterrupted, and this delicate work is underway. Finally, we’re working with ISPs and others to also clean\r\ndevices in people’s homes and businesses that might be infected.\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/\r\nPage 1 of 2\n\nSecond, this work has always been about disrupting Trickbot’s operations during peak election activity – doing\r\nwhat we can to take action at a critical time – and we’re encouraged by what we’re seeing. Anytime a botnet’s\r\nserver infrastructure is eliminated, the attempt to rebuild is not as simple as setting up new servers. New servers\r\nneed to be provisioned to begin talking with the botnet’s infected devices and issuing commands, all of which\r\ntakes time. We have identified new Trickbot servers, located their respective hosting provider, determined the\r\nproper legal methodology to take action, and completely disabled those servers in less than three hours. Our global\r\ncoordination has allowed a provider to take quick action as soon as we notify them – in one case, in less than six\r\nminutes. What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than\r\ninitiating fresh attacks, and it has had to turn elsewhere for operational help.\r\nIn fact, we and others have detected the Trickbot operators attempting to use a competing criminal syndicate to\r\ndrop what were previously Trickbot payloads. This is one of many signs that suggests to us that, faced with its\r\ncritical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active.\r\nWhile an arrangement with other actors will not enable Trickbot to equal its homegrown capabilities, it’s also a\r\nreminder that there are many threats to keeping cyberspace secure and it’s important for people – especially those\r\ninvolved in the security of our electoral processes – to stay vigilant. It’s also why we offer those involved in the\r\nelection tools such as AccountGuard, Microsoft 365 for Campaigns and Election Security Advisors.\r\nThird, we have the right team and the right groundwork in place to continue having impact in the coming weeks.\r\nOur Digital Crimes Unit has spent years studying, documenting and categorizing Trickbot’s infrastructure,\r\nidentifying which command-and-controls are traditional servers and which are actually IoT devices. We believe\r\nwe understand the right details about Trickbot’s infrastructure to focus our attention on the specific command-and-control servers that allow for the greatest degree of disruption. Even more importantly, our network of global\r\npartners is monitoring Trickbot’s activities and sharing information around the clock. And we have members of\r\nour Digital Crimes Unit around the world in direct contact with local ISPs and telecommunications companies.\r\nWe fully expect that Trickbot’s operators will continue looking for ways to stay operational, and we and our\r\npartners will continue to monitor them and take action. We encourage others in the security community who\r\nbelieve in protecting the elections to join the effort and share their intelligence directly with hosting providers and\r\nISPs that can take Trickbot’s infrastructure offline. As this work continues, it will be important to focus on the\r\ncollective impact to Trickbot’s capabilities between now and the election, rather than to focus on potentially\r\nmisleading simplified snapshots from any single moment in time.\r\nTags: cyberattacks, cybersecurity, Defending Democracy Program, ElectionGuard, Microsoft 365 for Campaigns,\r\nMicrosoft AccountGuard, ransomware, trickbot\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/"
	],
	"report_names": [
		"trickbot-ransomware-disruption-update"
	],
	"threat_actors": [],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0ea2c034719c2450cc1baec0f4ac93156f46223.pdf",
		"text": "https://archive.orkl.eu/f0ea2c034719c2450cc1baec0f4ac93156f46223.txt",
		"img": "https://archive.orkl.eu/f0ea2c034719c2450cc1baec0f4ac93156f46223.jpg"
	}
}