Cyber Incident Victim: Trickbot botnet
Date:
Sep 2020
Location:
United States of America
Summary
A coordinated attack targeted the Trickbot botnet by pushing fraudulent configuration files redirecting infected systems to an unreachable server, disrupting controller infrastructure and prompting recovery mechanisms. Simultaneously, attackers flooded Trickbot's databases with millions of fake records impersonating major organizations to dilute operational data and hinder criminal activities. These disruptions aggravated botnet operators, with affiliated ransomware groups threatening increased ransom demands. Trickbot serves as a malware-as-a-service platform for high-tier cybercriminals, notably facilitating ransomware strains like Ryuk and Conti linked to significant incidents, including a healthcare provider's system-wide shutdown that forced patient relocations and ambulance diversions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 22, 2020, an unidentified actor pushed a fraudulent configuration file to computers infected with the Trickbot botnet, a network of over two million compromised Windows systems primarily used for financial data theft and ransomware deployment. This configuration file instructed infected machines to connect to the unreachable localhost address (127.0.0.1) instead of legitimate command-and-control servers, effectively severing communication between bots and operators. Cyber intelligence firm Intel 471 confirmed this disruptive action was repeated on October 1, causing all Trickbot controllers to stop responding to bot requests, indicating potential central infrastructure disruption. The timing and repetition suggested a deliberate attempt to sabotage operations rather than an operational error. Concurrently, between late September and October 1, attackers flooded Trickbot's control networks with millions of fabricated records, artificially inflating the database from 2.7 million to over seven million infected systems. Hold Security observed these fake records included machine names impersonating entities like the U.S. Department of Defense, Citigroup, and JPMorgan Chase, likely to overwhelm and confuse the botnet operators.
The coordinated attacks disrupted Trickbot's core functionality, though the malware's built-in fail-safe mechanism—a backup domain on EmerDNS—remained under operator control for potential recovery. The data-flooding operation provoked visible frustration among ransomware groups dependent on Trickbot, with at least one threatening to double ransom demands in retaliation, though no confirmed instances of such escalation were documented. The incident coincided with high-profile ransomware attacks leveraging Trickbot infrastructure, including the September 27 Ryuk ransomware incident against Universal Health Services (UHS), which forced the healthcare provider to shut down systems across 400 U.S. and U.K. facilities, divert ambulances, and postpone surgeries. While the sabotage temporarily hindered Trickbot's operations, its malware-as-a-service model—catering to ransomware groups like those deploying Ryuk and Conti—remained intact. No attribution for the disruptive actions was established, with potential actors ranging from government entities to rival cybercrime groups or security researchers.