Trickbot has infected 140,000-plus machines since late 2020
In October 2020, Microsoft reported that more than 90% of Trickbot's infrastructure had been disabled. The threat actor bounced back and began thriving soon after.
More than 140,000 machines have been affected by Trickbot since November 2020, according to a report published Wednesday by Check Point Research.
The report surrounds recent activity from Trickbot, a prolific banking Trojan first reported in 2016 that has evolved into a botnet, ransomware and malware ecosystem in the years since. It has become known not only for the significant scale for its operation, but also for its ability to thrive as long as it has.
Because the research is based on information gathered since November 2020, it represents significant activity from a threat actor that allegedly had more than 90% of its infrastructure disabled a month before. That said, it was apparent within the month that Trickbot had begun to bounce back and deploy more ransomware.
According to Check Point, more than 140,000 machines have been infected by Trickbot in the past 16 months, representing customers of 60 corporations. The corporations whose customers are affected include Amazon, Microsoft, PayPal, Bank of America, Wells Fargo, American Express and others.
Alexander Chailytko, cybersecurity, research and innovation manager at Check Point, said the more than 140,000 machines infected are primarily computers belonging to the general public, as well as "some companies."
As for why it's "more than" 140,000, the data gathered represents telemetry Check Point has gained from its customers. Because of this, Chailytko said, the security vendor may have more or less visibility in certain parts of the world.
Overall, Check Point said one out of every 45 organizations has been affected by Trickbot.
Trickbot's days could be numbered, however. Last week, researchers including dark web monitoring vendor Hold Security reported Trickbot lost key gang members.
Our Dark Web sources report that Trickbot gang lost its key members over the past 24 hours. Looks like Russian government actions are driving ransomware gangs to close their doors. Hopefully this is going to be it for the one of most notorious ransomware gangs of our time.— HoldSecurity (@HoldSecurity) February 11, 2022
Chailytko, while not specific about recent reports, said Check Point has seen some decline in activity.
"We can definitely see a decline in Trickbot campaign activity over the last couple months," he said. "We can confirm that."
Check Point recommends users protect themselves from Trickbot by opening only documents from trusted sources, using different passwords for different accounts, and keeping operating systems and antivirus software updated.
Alexander Culafi is a writer, journalist and podcaster based in Boston.