US Cyber Command's campaign against the Trickbot botnet, an army of at least a million hijacked computers run by Russian-speaking criminals, was not expected to permanently dismantle the network. But it will make it difficult for them while they try to restore operations.
Security researcher Brian Krebs said that US Cyber Command has "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators".
But according to Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation, it does not seem to have worked. He said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world.
Holden warned Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets.
"They are running normally and their ransomware operations are pretty much back in full swing. They are not slowing down because they still have a great deal of stolen data."
Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.