What does it take to fight ransomware and botnets? A Q&A with a cloud crime investigator

Ransomware is a type of malware that holds computer systems or data hostage with demands for payment. And it has been used against a wide variety of targets, including governments, businesses and health care facilities. Ransomware distributors are also part of a wider web of digital menace that has threatened election security.

In October 2020, the Microsoft Digital Crimes Unit worked with a coalition of partners to disrupt Trickbot, one of the most infamous botnets and prolific distributors of ransomware. Botnets are networks of computers infected by malware and being used to commit cybercrimes. While disrupting a botnet is challenging work and success varies over time, Microsoft and its partners were able to disrupt 94% of Trickbot’s critical operational infrastructure in six days.

Jason Lyons is a malware and cloud crime investigator at the Microsoft DCU and part of a team that disrupted Trickbot. We caught up with Jason to find out more about this critical work. Below is an edited version of our conversation.

What is the Microsoft Digital Crimes Unit?

I don’t think there’s another organization in private industry with the same structure, components and skill sets. It sits within the Customer Security and Trust team at Microsoft, and it comprises many different jobs and skills, including lawyers and paralegals, cyber analysts, security researchers and investigators, like myself, as well as the engineers who help build the tools we need. We have about 65 people working around the globe – at Microsoft’s Redmond, Washington, headquarters, Asia, Europe and South America.

How do people come to work in the team? What did you do beforehand?

I used to be a special agent in the U.S. Army, doing counterintelligence work. Our investigators come from many different backgrounds. One of my colleagues in DCU was a colonel in the Army, working in the communications sector. Another investigator who joined DCU recently was a computer scientist for the FBI. Another is an attorney. So there are lots of different backgrounds on the team.

[READ MORE: Protecting democracy, especially in a time of crisis]

What does your work at the DCU involve?

Within my team, which is one of about four within the DCU, we carry out about two or three major botnet disruptions – like the Trickbot operation – a year. Then we work with product teams within Microsoft, particularly Microsoft Defender and Office 365, to ensure we’re on top of current threats, as well as tackling any internal security issues. Our goal is to stop the spread of malware and protect our customers and users of the internet.

The DCU tackles the biggest threats in the ecosystem. We primarily focus on those that are having the biggest impact on our customers … or as important to a partner like FS-ISAC [the financial services cyber intelligence sharing body], which represents financial institutions all over the world. Trickbot was brought to our attention because of its antivirus (AV) tampering – once it infects a system, it has the ability to turn off the AV product.

When a case is referred to the DCU, what happens next?

They’re usually brought to us by someone inside our product group saying, “Hey, this is a significant problem for us.” We evaluate the issue, looking at the impact it could have not just on Microsoft but more widely, too. We ask whether there’s infrastructure to disrupt, where the bad guys are located and where they’re hosting their servers – and if we can get a U.S. court order to disrupt them. Or, will we need international partners and possibly international judicial orders, all of which is possible with our global team. Then we investigate how the botnet operates – is there a vulnerability we can exploit to disconnect the criminals from the victim machines and cause a significant disruption?

How are these weaknesses identified?

We build automated systems to dissect the information in the files that the botnet sends out. Then we’ll take it into our malware lab to really find out how it works. We want to know how it infects the operating system and what it does next. What security protocols does it turn off? And we look at how it communicates – probably the most important thing is what the communication between the command and control server and the victim looks like.

I don’t think there’s another organization in private industry with the same structure, components and skill sets

Then we plan how we’re going to disrupt the malware and stop the command and control servers from communicating with the victims. Most of the time this will be through its communication channels. Does it communicate through a domain, for instance? If so, we can go to a U.S. court to get a temporary restraining order on that domain name so that the communication with victim devices is instead rerouted to Microsoft for further analysis. In the instance of Trickbot, which was IP-based, there were a significant number of servers inside the U.S. we could seize and disrupt through court orders. Where servers were based in Europe, we sent notices referencing EU cybercrime directives to internet service providers [ISPs] hosting the botnet so similar action could be taken.

Having lawyers as part of DCU must be a big help in that kind of situation.

Yes, exactly. We come up with the technical method of disruption, and then our attorneys figure out the legal aspects of the operation. To disrupt Trickbot, we actually used copyright law – which has nothing to do with malware. The criminals behind Trickbot were employing part of Microsoft’s code maliciously – so we used that as a basis for our legal case to disrupt them.

How are cyber threats evolving?

Whether it’s a nation-state activity or a crime for profit, the level of sophistication is going up significantly. It’s evolving constantly. With ransomware, for instance, the use of encryption, cryptocurrencies and the ability to hide on the internet is really driving the threat. There’s such a level of technical expertise and anonymization – and it’s very hard to track down.

[READ MORE: New action to combat ransomware ahead of U.S. elections]

How is Covid-19 and remote working affecting this landscape?

It’s changed everybody – how people work, and how they communicate. There’s more email, more communication going back and forth. And we’ve seen major threat actors leverage things like Covid themes in malware spam campaigns – using current events to get people to click on things they normally wouldn’t. In the U.S., we’ve even seen botnet operators use Black Lives Matter subject lines as a way to get people more interested in clicking on emails which could then infect them.

Why is it important for Microsoft to tackle these threats?

Well, firstly because of who we are – our digital ecosystem receives trillions of signals each day, which gives us a unique ability to look for and find criminal conduct. But it’s about the wider impact we can have. The Trickbot operation was a long process – it took about two years. But, hopefully, it helped achieve our objective of protecting customers.

Do you have any tips on how people can help protect themselves from these threats at home?

One of the key things is having up-to-date antivirus software installed. That’s the best line of defense for a home user. Then, make sure you always have the latest version of your operating system. And thirdly, always use multi-factor authentication where possible.