Malware operators are creative. They understand what is put in place by security personnel to stop them, so they are constantly generating new campaigns and extortion methods to get the most out of their attacks.

Security researchers have discovered the Trickbot operators meddling within UEFI (Unified Extensible Firmware Interface) firmware chips on personal computers to see if they had any firmware vulnerabilities. UEFIs are the software used to manage boot processes on Windows and Mac machines. What’s concerning about the discovery is any compromise of computers from this software is not detected by mainstream security software.

Another concern is Trickbot’s growth as malware. With common connections to Ryuk and Emotet, Trickbot gets into environments and downloads other malware to execute malicious acts. Trickbot has already built and developed modules with detrimental impact for businesses, yet another attack method is added to their arsenal. Trickbot is a continuously evolving malware and they’ll be adding more and more weaponry as time goes on.

Microsoft’s security team attempted a full takedown of Trickbot in October and they were mildly successful. Although, the likelihood of Trickbot ending its run is low. New malware is created daily, and Trickbot will continue to implement the variants into its processes to surpass security.

If the malware implemented by Trickbot can write or erase the UEFI firmware on machines, the ransomware landscape could change drastically. After the “Trickboot” malware has overwritten drives, a lengthy restoration process would ensue. Engineers would have to approach every machine individually, so if this happened to hundreds or thousands of machines, the fallout would disrupt businesses and organizations insurmountably.

Finally, Trickbot’s operators probably know more about the firmware on their victim’s networks than the victims do. This is all you need to know when you think about how you’re going to successfully thwart malicious threat actors from halting your business.

SpearTip’s Security Operations Center (SOC) specializes in preventing malware from entering networks. Our engineers work 24/7 hours a day to monitor environments for malicious activity. As ransomware continues to be pervasive, we will remain attentive to its evolution. We offer solutions to ransomware attacks by negotiating with threat actors, obtaining a decryption key, and restoring your organization’s operations immediately.

If your organization experiences a breach, call our breach response hotline at 833.997.7327.