Ransomware is a type of malware that holds computer systems or data hostage with demands for payment. And it has been used against a wide variety of targets, including governments, businesses and health care facilities. Ransomware distributors are also part of a wider web of digital menace that has threatened election security.
In October 2020, the Microsoft Digital Crimes Unit worked with a coalition of partners to disrupt Trickbot, one of the most infamous botnets and prolific distributors of ransomware. Botnets are networks of computers infected by malware and being used to commit cybercrimes. While disrupting a botnet is challenging work and success varies over time, Microsoft and its partners were able to disrupt 94% of Trickbot’s critical operational infrastructure in six days.
Jason Lyons is a malware and cloud crime investigator at the Microsoft DCU and part of a team that disrupted Trickbot. We caught up with Jason to find out more about this critical work. Below is an edited version of our conversation.
What is the Microsoft Digital Crimes Unit?
I don’t think there’s another organization in private industry with the same structure, components and skill sets. It sits within the Customer Security and Trust team at Microsoft, and it comprises many different jobs and skills, including lawyers and paralegals, cyber analysts, security researchers and investigators, like myself, as well as the engineers who help build the tools we need. We have about 65 people working around the globe – at Microsoft’s Redmond, Washington, headquarters, Asia, Europe and South America.
How do people come to work in the team? What did you do beforehand?
I used to be a special agent in the U.S. Army, doing counterintelligence work. Our investigators come from many different backgrounds. One of my colleagues in DCU was a colonel in the Army, working in the communications sector. Another investigator who joined DCU recently was a computer scientist for the FBI. Another is an attorney. So there are lots of different backgrounds on the team.
[READ MORE: Protecting democracy, especially in a time of crisis]
What does your work at the DCU involve?
Within my team, which is one of about four within the DCU, we carry out about two or three major botnet disruptions – like the Trickbot operation – a year. Then we work with product teams within Microsoft, particularly Microsoft Defender and Office 365, to ensure we’re on top of current threats, as well as tackling any internal security issues. Our goal is to stop the spread of malware and protect our customers and users of the internet.
The DCU tackles the biggest threats in the ecosystem. We primarily focus on those that are having the biggest impact on our customers … or as important to a partner like FS-ISAC [the financial services cyber intelligence sharing body], which represents financial institutions all over the world. Trickbot was brought to our attention because of its antivirus (AV) tampering – once it infects a system, it has the ability to turn off the AV product.
When a case is referred to the DCU, what happens next?
They’re usually brought to us by someone inside our product group saying, “Hey, this is a significant problem for us.” We evaluate the issue, looking at the impact it could have not just on Microsoft but more widely, too. We ask whether there’s infrastructure to disrupt, where the bad guys are located and where they’re hosting their servers – and if we can get a U.S. court order to disrupt them. Or, will we need international partners and possibly international judicial orders, all of which is possible with our global team. Then we investigate how the botnet operates – is there a vulnerability we can exploit to disconnect the criminals from the victim machines and cause a significant disruption?
How are these weaknesses identified?
We build automated systems to dissect the information in the files that the botnet sends out. Then we’ll take it into our malware lab to really find out how it works. We want to know how it infects the operating system and what it does next. What security protocols does it turn off? And we look at how it communicates – probably the most important thing is what the communication between the command and control server and the victim looks like.