Cyber Incident Victim: MalwareMasters
Date:
Sep 2020
Location:
United States of America
Summary
An unidentified actor disrupted the Trickbot botnet by pushing malicious configuration files redirecting infected systems to an unreachable localhost address, impairing communication with control servers. Concurrently, attackers flooded Trickbot's network with millions of fake records, artificially inflating its database of compromised systems—including spoofed entries from major financial and defense entities—to dilute operational data and hinder criminal activities. These actions caused significant interference, prompting ransomware affiliates relying on Trickbot to threaten doubled ransom demands, though follow-through remained unconfirmed. Trickbot, a malware-as-a-service platform facilitating ransomware deployment like Ryuk and Conti, had previously enabled high-impact attacks, including one forcing a major healthcare provider to suspend operations and divert critical patient services. The disruption's origin—potentially security researchers, governments, or rival cybercriminals—remained unknown.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 22, 2020, an unidentified actor pushed a fraudulent configuration file to systems infected with the Trickbot malware, redirecting them to the unreachable localhost IP address 127.0.0.1 instead of legitimate command-and-control servers. This disrupted communication between infected Windows PCs—estimated at over two million machines—and the botnet operators. Cyber intelligence firm Intel 471 confirmed the malicious configuration update severed botnet connectivity, causing Trickbot controllers to stop responding. The attackers repeated this tactic on October 1, 2020, further indicating intentional sabotage. Trickbot's operators maintained a backup control mechanism through EmerDNS, a decentralized domain system, which could theoretically restore operations. The disruption's origin remained unconfirmed, with potential actors including security researchers, government entities, insiders, or rival cybercrime groups. Concurrently, between September 22 and October 1, Trickbot's database of compromised systems—previously holding credentials from 2.7 million PCs—was flooded with millions of fabricated records, artificially inflating the count to over seven million.
The fake records included spoofed machine names from high-profile organizations like the U.S. Department of Defense, Citigroup, and JPMorgan Chase, aiming to overwhelm and confuse Trickbot's operators. Security firm Hold Security observed that this data poisoning tactic provoked visible frustration among ransomware affiliates dependent on Trickbot, with one group threatening to double ransom demands. The botnet served as a critical platform for deploying ransomware strains like Ryuk and Conti, which were linked to significant incidents such as the September 27, 2020, attack on Universal Health Services (UHS). The UHS breach forced the healthcare provider to shut down systems across 400 U.S. and U.K. facilities, disrupting patient care and ambulance services. While the disruptive actions against Trickbot mirrored past law enforcement operations like the 2014 Gameover Zeus takedown, their effectiveness remained uncertain due to the botnet's resilient design and the operators' retained recovery capabilities.