Trickbot Network Infestation

A Trickbot Infestation has ravaged my network. It has wormed its way on to all workstations and servers. Does anyone know how to eradicate it and keep it from re-infecting other computers? If not, does anyone know of a company that specializes in removing this particular malware. I've tried different malware software removal tools and they identify and  remove it but it keeps coming back.
RickNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
0
Dr. KlahnPrincipal Software EngineerCommented:
It has wormed its way on to all workstations and servers.

This is a long, long row to hoe if it's reinfecting across the network.  Since you have tried the obvious solution, I would go hammer-and-tongs and redo the whole network at once.

The obvious issue is that this will take the whole operation down, probably for several days, as it's unlikely that you have enough manpower to do it in one shift and no fully-functional system can be allowed onto the network until all systems are reimaged.  Management will hate you for this and IT will be a pariah for some time.

Shut down the network.  Shut down all systems.

Get your backup media for the servers.

Erase the drives on the servers, then reimage them from the last known clean full backup.

Disconnect the servers from the network with the sole exception being the system that you reimage from.

Reactivate the network.

Turn on each workstation, one at a time.  Reimage each system over the network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
To add on,

Quickly isolate the network, cut of the infected segments if you can identify Concurrently Quarantine the machines. Time is of essence.

Server need to be check as well especially those accessible by the clients for file shares, collaboration uses by multiple machines. And also portable external storage medias like thumbdrives etc.

Internet gateway need to be close off if that is possible, the gist is to contain spread and  further spread..or exploitation of machine  to harm others.

 The root cause may be from a phishing email (use of macro-enabled documents) so check the mail server too if there are surge of spam and similar group of sender(s), esp internal user to all other infected users.

Disable Powershell as this is heavily used by the bot to do further damage.

Advice user to check their banking acccounts for anomalies and change password if required.

The bot would be picked up already by anti malware software..do advise IT to rebuild machine if possible..
https://www.virustotal.com/en/file/1401aed41f637e19041da55efa1db71c86fa8bf0a4fdfba057be78eea83c10e6/analysis/
0
btanExec ConsultantCommented:
For consideration
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.