Skip to main content

Microsoft and ISPs did door-to-door router replacements to stop Trickbot malware

Microsoft and ISPs did door-to-door router replacements to stop Trickbot malware


Trickbot won’t stay down

Share this story

Illustration by Alex Castro / The Verge

Microsoft says it helped internet service providers go door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America, hoping to squash an international hacking group. The Daily Beast reported the detail in an article about the group, which is an ongoing target for US Cyber Command as well as information security companies like Microsoft.

The Daily Beast reports that the hacking ring — also known as Trickbot and based in Russia, Belarus, Ukraine, and Suriname — is a persistent presence online. The group uses compromised computers as a massive botnet and runs ransomware attacks and other illegal operations. Trickbot is known to hijack routers and internet of things devices that are often easy to infect without owners realizing it. Eradicating malware from routers can be particularly difficult for users, making in-person replacement a surprisingly effective tactic.

Law enforcement agencies and companies have made some recent inroads into tackling Trickbot. The Justice Department charged a woman who allegedly helped develop it last month, and Microsoft boasted in 2020 that it had cut off 94 percent of the group’s server infrastructure, aiming to prevent any attacks on the US election. But Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, told The Daily Beast that Trickbot remained a “continuing challenge.”

That’s where the router replacement comes in. A Microsoft spokesperson described the details to The Verge as follows:

This kind of victim remediation involves incredible coordination with the local ISPs and hosting providers. Microsoft provides notifications about compromised devices and often works directly with the ISPs and hosting providers to share additional information and offer any necessary technical assistance. In Brazil, the ISP used this information to personally visit their customers to replace routers that were infected with Trickbot malware.

Trickbot has been allegedly behind attacks on hospitals, schools, and governments, stealing login credentials and locking computer systems to demand payment. Microsoft’s door-to-door replacement operation is just one piece of the attempts to stop it, but it’s an interesting ground-level tactic in the malware fight.

Correction: An original version of this story indicated that Microsoft had gone door-to-door to replace routers. Microsoft has since clarified that it notified ISPs about infected routers as part of a door-to-door replacement partnership. We regret the error.