On Monday of this week, just a day before the US presidential election, the FBI issued an updated advisory concerning the dangers of “an increased and imminent cybercrime threat,” noting that “malicious cyber actors … have continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization.”
Their advisory was issued in coordination with the Cybersecurity Infrastructure Agency (CISA) and the Department of Health and Human Services (HHS) and focused on attacks on healthcare systems, given the added pressure they are under during the coronavirus epidemic but obviously the findings are relevant to any sector. Attacks have already led to data theft and disruption of services, and the FBI warned that even in cases where ransom is demanded for restoration of functionality, their advice is not to pay, as: “Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.”
“TrickBot” has been around at least since late 2016, and according to Microsoft, which has been engaged in an ongoing effort to thwart it, “research suggests [it] serves both nation-states and criminal networks for a variety of objectives.” In October of 2020, the company announced that it had achieved a breakthrough in its battle, claiming that it had “cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
They noted the extreme urgency of the project, calling ransomware “one of the largest threats to the upcoming elections, [as] adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results … to sow chaos and distrust.”
The announcement was greeted with immense relief – but less than a fortnight later, US hospitals were hit with what Business Insider calls an “unprecedented wave of ransomware attacks” that government sources and cyber experts attributed to TrickBot. They added that “more attacks could be looming.”
Cyber expert Jeremy Kelly told Business Insider that while “Microsoft’s disruption of the TrickBot botnet was highly successful, there was evidence shortly thereafter suggesting that the botnet was quickly rebuilt,” adapting new tools and creating new strains of malware to continue attacks. One cybercrime analyst was blunter in his assessment, claiming that efforts to take down TrickBot were “more like a PR stunt … it’s pretty clear to everyone that Trickbot is not going away anytime soon.”
TrickBot works by sending phishing links to its victims, ultimately breaking into their computer systems and installing ransomware that locks down the entire system. Even if such programs don’t actually manage to change voter tallies, they could certainly cause enough disruption to slow counting, and data theft is another possibility that could prove highly disruptive.
Security firm Check Point reported that ransomware attacks have risen by 50% in the past three months alone, with each payout encouraging the criminals to continue. However, paying the ransom is no guarantee of the future integrity of a company’s systems, which is why the FBI warns companies not to pay out, and instead to follow its check-list in the event of being targeted by cyber criminals.
When it comes to the elections, however, even the looming menace of cyber infiltration of systems is enough to “sow chaos and distrust,” as Microsoft put it. As if chaos and mistrust were lacking until now.