TrickBot: Humans Are Key To Winning The Botnet War

Ransomware-as-a-Service on the cybercrime underworld

Eli Kirtman

Northport, N.Y. – Nov. 12, 2020

TrickBot is a major cyber threat to businesses worldwide.

First detected in 2016, the botnet has evolved from stealing banking credentials to a prolific distributor of malware. It has infected millions of computers globally, compromised over 250 million email accounts, and cost victims at least $61 million. In the U.S., TrickBot is an imminent threat to the healthcare industry and recently caused a ransomware-related death.

Hackers and malware have been using social engineering and unpatched software to penetrate businesses long before the first botnet captured public attention two decades ago. While these remain the two largest attack vectors today, adversaries have developed clever tactics to deploy ransomware once they’re inside the network, according to Roger Grimes, data-driven defense evangelist at KnowBe4, and author of 10 books and thousands of articles on computer security.

Wizard Spider, the creator of TrickBot, has built a constantly evolving modular malware ecosystem equipped with a full arsenal of hacking tools. TrickBot operators (aka botmasters) are capable of conducting more nefarious cyber activities including cryptomining, credential harvesting, and data exfiltration. But more alarming, botmasters can give victims access to infected machines and deploy many forms of malware, such as Ryuk and Conti — all remotely from a command and control server (C&C).

Cybercrime TV: Roger Grimes, Data-Driven Defense Evangelist at KnowBe4

What you need to know about TrickBot

“One of the biggest things hackers do is monitor the anti-virus engines, often through Google’s VirusTotal.com, constantly updating the (malware) program so it can’t be detected,” says Grimes. He compares all of his malware samples to the 72 antivirus scanners on VirusTotal.com and most of them can’t detect anything malicious.

All the while, TrickBot covertly sits in the network for potentially months, scoping out the “crown jewels” of the company, waiting for the botmaster’s command to unleash havoc. It is so effective at tactfully exfiltrating data that other trojan operators use it to steal passwords. In fact, TrickBot is setting the precedent for ransomware-as-a-service.

Yet U.S. federal agencies do not recommend paying ransom demands because the payouts encourage adversaries to attack other organizations. Nonetheless, cybercriminals know the majority of companies will pay the load because if they don’t, then other hackers or competitors will.

Despite recent global efforts to dismantle the adversary’s C&Cs and stop its massive hacking operation, TrickBot quickly rebounded. Grimes predicts there will be a waging war between bad bots and good bots in the near future. So, how do we beat it?

Will multi-factor authentication (MFA) do the trick? “MFA is good, use it when you can,” says Grimes in his latest book Hacking Multifactor Authentication, which busts the misconception that data is perfectly safe behind MFA and reveals more than two dozen ways to hack it.

Although MFA will reduce many cybersecurity risks, it does not stop most attacks from social engineering and unpatched software. But focusing more financial resources on these threat vectors could significantly improve the company’s security posture.

More importantly, we must turn to the most fragile asset on the unforgiving battleground — our people — because no matter how great our policies or technical controls are, hackers and bad bots will always seize human vulnerabilities. Many end users and stakeholders simply are not aware of the threats lurking in their browser or inbox. And some who are aware may not care.

“We must change the culture of the entire company to care and want to do something,” says Grimes. He encourages us to implement security awareness training that not only reflects the emerging threats, but also effectively teaches employees how to deal with them.

“The best way to motivate anybody in this world is with a story,” he adds. Perhaps framing the real dangers of cyberattacks in context of a personable and memorable story, such as the recent ransomware-related death, may resonate with people and foster a “we are in this together” culture.

Eli Kirtman is a freelance writer based in Cincinnati, Ohio. 

Sponsored by KnowBe4

KnowBe4 is the world’s first and largest New-school security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering.

The KnowBe4 platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Our goal was to design the most powerful, yet easy-to-use platform available.

Customers of all sizes can get the KnowBe4 platform deployed into production twice as fast as our competitors. Our Customer Success team gets you going in no time, without the need for consulting hours.

We are proud of the fact that more than 50 percent of our team are women, where the average in cyber security is just 20 percent of employees.