{"id":120593,"date":"2020-11-10T13:46:34","date_gmt":"2020-11-10T13:46:34","guid":{"rendered":"https:\/\/news.microsoft.com\/?p=439888"},"modified":"2020-11-10T13:46:34","modified_gmt":"2020-11-10T13:46:34","slug":"cloud-crime-investigator-describes-what-it-takes-to-fight-ransomware-and-botnets","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/11\/10\/cloud-crime-investigator-describes-what-it-takes-to-fight-ransomware-and-botnets\/","title":{"rendered":"Cloud crime investigator describes what it takes to fight ransomware and botnets"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/11\/cloud-crime-investigator-describes-what-it-takes-to-fight-ransomware-and-botnets.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Ransomware is a type of malware that holds computer systems or data hostage with demands for payment. And it has been used against a wide variety of targets, including governments, businesses and health care facilities. Ransomware distributors are also part of a wider web of digital menace that has threatened election security.<\/p>\n<p>In October 2020, the Microsoft Digital Crimes Unit worked with a coalition of partners to <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/10\/12\/trickbot-ransomware-cyberthreat-us-elections\/\">disrupt Trickbot<\/a>, one of the <a href=\"https:\/\/news.microsoft.com\/on-the-issues\/2020\/03\/10\/botnet-online-safety\/\">most infamous botnets<\/a> and prolific distributors of ransomware. Botnets are networks of computers infected by malware and being used to commit cybercrimes. While disrupting a botnet is challenging work and success varies over time, Microsoft and its partners were able to disrupt 94% of Trickbot\u2019s <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/10\/20\/trickbot-ransomware-disruption-update\/\">critical operational infrastructure<\/a> in six days.<\/p>\n<p>Jason Lyons is a malware and cloud crime investigator at the Microsoft DCU and part of a team that disrupted Trickbot. We caught up with Jason to find out more about this critical work. Below is an edited version of our conversation.<\/p>\n<p><strong>What is the Microsoft Digital Crimes Unit?<\/strong><\/p>\n<p>I don\u2019t think there\u2019s another organization in private industry with the same structure, components and skill sets. It sits within the Customer Security and Trust team at Microsoft, and it comprises many different jobs and skills, including lawyers and paralegals, cyber analysts, security researchers and investigators, like myself, as well as the engineers who help build the tools we need. We have about 65 people working around the globe \u2013 at Microsoft\u2019s Redmond, Washington, headquarters, Asia, Europe and South America.<\/p>\n<p><strong>How do people come to work in the team? What did you do beforehand?<\/strong><\/p>\n<p>I used to be a special agent in the U.S. Army, doing counterintelligence work. Our investigators come from many different backgrounds. One of my colleagues in DCU was a colonel in the Army, working in the communications sector. Another investigator who joined DCU recently was a computer scientist for the FBI. Another is an attorney. So there are lots of different backgrounds on the team.<\/p>\n<p><strong><em>[READ MORE: <\/em><\/strong><a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/04\/02\/defending-democracy-program-extended\/\"><strong>Protecting democracy, especially in a time of crisis<\/strong><\/a><strong><em>]<\/em><\/strong><\/p>\n<p><strong>What does your work at the DCU involve?<\/strong><\/p>\n<p>Within my team, which is one of about four within the DCU, we carry out about two or three major botnet disruptions \u2013 like the Trickbot operation \u2013 a year. Then we work with product teams within Microsoft, particularly Microsoft Defender and Office 365, to ensure we\u2019re on top of current threats, as well as tackling any internal security issues. Our goal is to stop the spread of malware and protect our customers and users of the internet.<\/p>\n<p>The DCU tackles the biggest threats in the ecosystem. We primarily focus on those that are having the biggest impact on our customers \u2026 or as important to a partner like FS-ISAC [the financial services cyber intelligence sharing body], which represents financial institutions all over the world. Trickbot was brought to our attention because of its antivirus (AV) tampering \u2013 once it infects a system, it has the ability to turn off the AV product.<\/p>\n<p><strong>When a case is referred to the DCU, what happens next?<\/strong><\/p>\n<p>They\u2019re usually brought to us by someone inside our product group saying, \u201cHey, this is a significant problem for us.\u201d We evaluate the issue, looking at the impact it could have not just on Microsoft but more widely, too. We ask whether there\u2019s infrastructure to disrupt, where the bad guys are located and where they\u2019re hosting their servers \u2013 and if we can get a U.S. court order to disrupt them. Or, will we need international partners and possibly international judicial orders, all of which is possible with our global team. Then we investigate how the botnet operates \u2013 is there a vulnerability we can exploit to disconnect the criminals from the victim machines and cause a significant disruption?<\/p>\n<p><strong>How are these weaknesses identified?<\/strong><\/p>\n<p>We build automated systems to dissect the information in the files that the botnet sends out. Then we\u2019ll take it into our malware lab to really find out how it works. We want to know how it infects the operating system and what it does next. What security protocols does it turn off? And we look at how it communicates \u2013 probably the most important thing is what the communication between the command and control server and the victim looks like.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware is a type of malware that holds computer systems or data hostage with demands for payment. And it has been used against a wide variety of targets, including governments, businesses and health care facilities. Ransomware distributors are also part of a wider web of digital menace that has threatened election security. In October 2020, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":120594,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[50,52],"class_list":["post-120593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-recent-news","tag-security"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/120593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=120593"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/120593\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/120594"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=120593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=120593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=120593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}