SAN FRANCISCO (Reuters) – Microsoft said Monday it had used a court order to take control of computers that were installing ransomware and other malicious software on local government networks and threatening to disrupt the November election.
The maker of the Windows operating system said it seized a series of internet protocol addresses hosted by U.S. companies that had been directing activity on computers infected with Trickbot, one of the most common pieces of malware in the world.
More than a million computers have been infected with Trickbot, and the operators use the software to install more pernicious programs, including ransomware, for both criminal groups and national governments that pay for the access, researchers said.
Trickbot has shown up in a number of public governments, which could be hurt worse if the operators encrypt files or install programs that interfere with voter registration records or the display and public reporting of election results, Microsoft said.
“Ransomware is one of the largest threats to the upcoming election,” said Microsoft Corporate Vice President Tom Burt. Among other programs, Trickbot has been used to deliver Ryuk ransomware, which has been blamed in attacks on the city of Durham, N.C., and hospitals during the COVID-19 pandemic.
Microsoft worked with Broadcom’s Symantec, security firm ESET and other companies to dissect Trickbot installations and trace them to the command addresses, the companies said. Microsoft for the first time used strict provisions in copyright law to convince a federal judge in the Eastern District of Virginia that since Trickbot used Microsoft code, the company should be able to seize the operator’s infrastructure from their unknowing hosting providers.
The seizure follows mechanical attempts to disrupt Trickbot last week by sending the operators bad information, researchers said. The Washington Post reported that U.S. Cyber Command was behind that effort,