Microsoft Foils Russian Ransomware Group Planning Election ‘Chaos and Mistrust’

Print More

St. Basil's Cathedral, Moscow. Photo by america_rugbier via Flickr

Microsoft took legal action on Monday to disrupt a botnet called Trickbot, “one of the world’s most infamous botnets and prolific distributors of ransomware,” which many  feared was preparing to cast doubt on the results of the U.S. presidential election.

“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” said Microsoft in a statement.

The company obtained an order from a federal judge in the Eastern District of Virginia that gave Microsoft control of the Trickbot botnet, a global network it describes as the largest in the world. Botnets are networks of computers secretly infected by malware that can be controlled remotely.

According to The Washington Post,  the botnet is “run by Russian-speaking criminals” and poses a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, said Tom Burt, Microsoft’s vice president of customer security and trust.

Cybersecurity experts have raised concerns about ransomware attacks casting doubt on election results.

“While a ransomware attack wouldn’t change votes and could only lock up machines, the chaos stirred by a cyberattack could create uncertainty about the outcome of the results,” said CNET.

The Center on National Security at Fordham Law said in a statement that while Microsoft did not have evidence that the botnet ringleaders intended to seek to disrupt the election, “the firm said it was concerned about the botnet’s potential to be used to fuel confusion, perhaps by freezing voter registration systems in the lead-up to the election.”

The action coincides with an offensive in recent weeks by U.S. Cyber Command to disrupt the same group of cybercriminals, said the center.

The U.S. military’s operation sought to temporarily disrupt Trickbot by hijacking its command and control servers to send out updates to all infected computers. The operation was aimed in part at helping to secure the election, but also to more broadly damage a network that has ensnared state and local governments, banks, health-care institutions, and research facilities in the U.S. and globally.

Ransomware is one of the federal officials’ chief concerns for the election.

Christopher Krebs, who heads the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, told The Washington Post that the types of harmful activities enabled by Trickbot, including ransomware, are on the rise in America.

“I firmly believe that we’re on the verge of a global emergency,” Krebs said in a statement to The Washington Post.

“With the U.S. election already underway, we need to be especially vigilant in protecting these systems during this critical time,” said Krebs. “This action proves that when the defenders team up, we can adapt to cripple the bad guys and make meaningful progress in improving our cybersecurity.”

In its October report outlining threat assessments, the U.S. Department of Homeland Security warned that nation-states will continue to try to undermine American elections.

“Threats to our election have been another rapidly evolving issue. Nation-states like China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities, and criticize our elected officials,” said the Department of Homeland Security.

Nancy Bilyeau is deputy editor of The Crime Report

Leave a Reply

Your email address will not be published. Required fields are marked *