Dataloop raises $11M Series A round for its AI data management platform

Dataloop, a Tel Aviv-based startup that specializes in helping businesses manage the entire data life cycle for their AI projects, including helping them annotate their data sets, today announced that it has now raised a total of $16 million. This includes a $5 seed round that was previously unreported, as well as an $11 million Series A round that recently closed.

The Series A round was led by Amiti Ventures, with participation from F2 Venture Capital, crowdfunding platform OurCrowd, NextLeap Ventures and SeedIL Ventures.

“Many organizations continue to struggle with moving their AI and ML projects into production as a result of data labeling limitations and a lack of real-time validation that can only be achieved with human input into the system,” said Dataloop CEO Eran Shlomo. “With this investment, we are committed, along with our partners, to overcoming these roadblocks and providing next generation data management tools that will transform the AI industry and meet the rising demand for innovation in global markets.”

Image Credits: Dataloop

For the most part, Dataloop specializes in helping businesses manage and annotate their visual data. It’s agnostic to the vertical its customers are in, but we’re talking about anything from robotics and drones to retail and autonomous driving.

The platform itself centers around the “humans in the loop” model that complements the automated systems, with the ability for humans to train and correct the model as needed. It combines the hosted annotation platform with a Python SDK and REST API for developers, as well as a serverless Functions-as-a-Service environment that runs on top of a Kubernetes cluster for automating dataflows.

Image Credits: Dataloop

The company was founded in 2017. It’ll use the new funding to grow its presence in the U.S. and European markets, something that’s pretty standard for Israeli startups, and build out its engineering team as well.

With a new focus on marketing software, NewsCred relaunches as Welcome

The company formerly known as NewsCred has a new name and a new product: Welcome.

Co-founder and CEO Shafqat Islam explained that this follows a broader shift in the company’s strategy. While previously known as a content marketing business, Islam said NewsCred has been increasingly focused on building a broader software platform for marketers (a platform that it uses itself).

Eventually, this led the company to sell its content services business to business journalism company Industry Dive and its owner Falfurrias Capital Partners over the summer. Now Welcome is officially unveiling its new brand, which it’s also using for its new marketing orchestration software.

“It’s not often that startups like ours get to close one chapter and open another chapter,” Islam said. “We kind of went back to being a Series A, Series B startup, iterating and working very closely with our customers.”

While today is the official launch of the Welcome platform, Islam said the company has been moving the software in this direction for the past year, and that this side of the business has already seen significant growth, with daily average users up 300% year-over-year.

Islam also suggested that while this was the right time to come up with a new company name, it’s something that’s been discussed repeatedly in the past.

Welcome Gantt Calendar

Image Credits: Welcome

“Every time we raised money in last 10 years, the new investor would say, ‘What about the name? Can we change it?’ ” he recalled. “We could never do it, because we had this content heritage built up and enough brand equity. Finally, with this deal, and with the launch of the new software … we came up with the name Welcome.”

While there’s no shortage of marketing software out there already, Islam said marketers need an orchestration system to manage their projects and workflows — most of them, he said, are stuck using “horizontal” project management tools that aren’t really built for their needs, such as Asana or Jira.

“Marketers have very specific needs,” Islam said. “It could be a simple thing like … marketers work with campaigns, so what are your specific campaigns, marketing briefs or marketing-specific workflows? Our approach was: How do we create something that’s really specific to marketers versus all horizontal solutions out there?”

He also noted that “close to half the engineering team works on the interoperability problem,” so that Welcome can integrate all the other tools that marketers are using, like HubSpot and Marketo. The goal, Islam said, is to become “something marketers standardize on,” the way that salespeople log into their Salesforce accounts every day.

Islam also argued Welcome will take advantage of the way that the pandemic has accelerated changes in the enterprise sales process.

“I personally believe the way people buy software is changing,” he said. “The days of wining and dining and selling to the CMO, that still exists, but that’s not how everyone wants to buy anymore.”

To adapt to this new world, Islam said the startup is adopting a more “bottoms up” sales approach, with a free version of the platform due for release next month.

Atlassian Smarts adds machine learning layer across the company’s platform of services

Atlassian has been offering collaboration tools, often favored by developers and IT for some time with such stalwarts as Jira for help desk tickets, Confluence to organize your work and BitBucket to organize your development deliverables, but what it lacked was a machine learning layer across the platform to help users work smarter within and across the applications in the Atlassian family.

That changed today, when Atlassian announced it has been building that machine learning layer, called Atlassian Smarts, and is releasing several tools that take advantage of it. It’s worth noting that unlike Salesforce, which calls its intelligence layer Einstein or Adobe, which calls its Sensei, Atlassian chose to forgo the cutesy marketing terms and just let the technology stand on its own.

Shihab Hamid, the founder of the Smarts and Machine Learning Team at Atlassian, who has been with the company 14 years, says they avoided a marketing name by design. “I think one of the things that we’re trying to focus on is actually the user experience and so rather than packaging or branding the technology, we’re really about optimizing teamwork,” Hamid told TechCrunch.

Hamid says that the goal of the machine learning layer is to remove the complexity involved with organizing people and information across the platform.

“Simple tasks like finding the right person or the right document becomes a challenge, or at least they slow down productivity and take time away from the creative high-value work that everyone wants to be doing, and teamwork itself is super messy and collaboration is complicated. These are human challenges that don’t really have one right solution,” he said.

He says that Atlassian has decided to solve these problems using machine learning with the goal of speeding up repetitive, time-intensive tasks. Much like Adobe or Salesforce, Atlassian has built this underlying layer of machine smarts, for lack of a better term, that can be distributed across their platform to deliver this kind of machine learning-based functionality wherever it makes sense for the particular product or service.

“We’ve invested in building this functionality directly into the Atlassian platform to bring together IT and development teams to unify work, so the Atlassian flagship products like JIRA and Confluence sit on top of this common platform and benefit from that common functionality across products. And so the idea is if we can build that common predictive capability at the platform layer we can actually proliferate smarts and benefit from the data that we gather across our products,” Hamid said.

The first pieces fit into this vision. For starters, Atlassian is offering a smart search tool that helps users find content across Atlassian tools faster by understanding who you are and how you work. “So by knowing where users work and what they work on, we’re able to proactively provide access to the right documents and accelerate work,” he said.

The second piece is more about collaboration and building teams with the best personnel for a given task. A new tool called predictive user mentions helps Jira and Confluence users find the right people for the job.

“What we’ve done with the Atlassian platform is actually baked in that intelligence, because we know what you work on and who you collaborate with, so we can predict who should be involved and brought into the conversation,” Hamid explained.

Finally, the company announced a tool specifically for Jira users, which bundles together similar sets of help requests and that should lead to faster resolution over doing them manually one at a time.

“We’re soon launching a feature in JIRA Service Desk that allows users to cluster similar tickets together, and operate on them to accelerate IT workflows, and this is done in the background using ML techniques to calculate the similarity of tickets, based on the summary and description, and so on.”

All of this was made possible by the company’s previous shift from mostly on-premises to the cloud and the flexibility that gave them to build new tooling that crosses the entire platform.

Today’s announcements are just the start of what Atlassian hopes will be a slew of new machine learning-fueled features being added to the platform in the coming months and years.

Zoom to start first phase of E2E encryption rollout next week

Zoom will begin rolling out end-to-end encryption to users of its videoconferencing platform from next week, it said today.

The platform, whose fortunes have been supercharged by the pandemic-driven boom in remote working and socializing this year, has been working on rebooting its battered reputation in the areas of security and privacy since April — after it was called out on misleading marketing claims of having E2E encryption (when it did not). E2E is now finally on its way though.

“We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days,” it writes in a blog post. “Zoom users — free and paid — around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.”

Zoom acquired Keybase in May, saying then that it was aiming to develop “the most broadly used enterprise end-to-end encryption offering”.

However, initially, CEO Eric Yuan said this level of encryption would be reserved for fee-paying users only. But after facing a storm of criticism the company enacted a swift U-turn — saying in June that all users would be provided with the highest level of security, regardless of whether they are paying to use its service or not.

Zoom confirmed today that Free/Basics users who want to get access to E2EE will need to participate in a one-time verification process — in which it will ask them to provide additional pieces of information, such as verifying a phone number via text message — saying it’s implementing this to try to reduce “mass creation of abusive accounts”.

“We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users,” it writes.

Next week’s roll out of a technical preview is phase 1 of a four-stage process to bring E2E encryption to the platform.

This means there are some limitations — including on the features that are available in E2EE Zoom meetings (you won’t have access to join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions); and on the clients that can be used to join meetings (for phase 1 all E2EE meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms). 

The next phase of the E2EE rollout — which will include “better identity management and E2EE SSO integration”, per Zoom’s blog — is “tentatively” slated for 2021.

From next week, customers wanting to check out the technical preview must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis.

All meeting participants must have the E2EE setting enabled in order to join an E2EE meeting. Hosts can enable the setting for E2EE at the account, group, and user level and can be locked at the account or group level, Zoom notes in an FAQ.

The AES 256-bit GCM encryption that’s being used is the same as Zoom currently uses but here combined with public key cryptography — which means the keys are generated locally, by the meeting host, before being distributed to participants, rather than Zoom’s cloud performing the key generating role.

“Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” it explains of the E2EE implementation.

If you’re wondering how you can be sure you’ve joined an E2EE Zoom meeting a dark padlock will be displayed atop the green shield icon in the upper left corner of the meeting screen. (Zoom’s standard GCM encryption shows a checkmark here.)

Meeting participants will also see the meeting leader’s security code — which they can use to verify the connection is secure. “The host can read this code out loud, and all participants can check that their clients display the same code,” Zoom notes.

Daily Crunch: Zoom launches its events marketplace

Zoom has a new marketplace and new integrations, Spotify gets a new format and we review Microsoft’s Surface Laptop Go. This is your Daily Crunch for October 14, 2020.

The big story: Zoom launches its events marketplace

Zoom’s new OnZoom marketplace allows anyone to host and sell tickets for virtual events. It’s also integrating the ability for nonprofits to accept donations.

The company made a couple other announcements at its Zoomtopia user conference. For one thing, it’s also integrating with a starting lineup of 35 third-party “Zapps,” allowing products like Asana and Dropbox to integrate directly into the Zoom experience.

In addition, Zoom said it will begin rolling out end-to-end encryption (a feature it’s been promising since acquiring Keybase in May) to users next week.

The tech giants

Spotify introduces a new music-and-spoken word format, open to all creators — The new format is designed to reproduce the radio-like experience of listening to a DJ talk about the music, and it also enables the creation of music-filled podcasts.

Microsoft reverse engineers a budget computer with the Surface Laptop Go — Brian Heater writes that the Laptop Go is a strange and sometimes successful mix of Surface design and budget decisions.

Google launches a suite of tech-powered tools for reporters, Journalist Studio — The suite includes a host of existing tools as well as two new products aimed at helping reporters search across large documents and visualizing data.

Startups, funding and venture capital

Getaround raises a $140M Series E amid rebound in short-distance travel — The rebound is real: I took my first Getaround this weekend.

Augury taps $55M for tech that predicts machine faults from vibration, sound and temperature — The startup works with large enterprises like Colgate and Heineken to maintain machines in their production and distribution lines.

Plenty has raised over $500M to grow fruits and veggies indoors — The funding was led by existing investor SoftBank Vision Fund and included the berry farming giant Driscoll’s.

Advice and analysis from Extra Crunch

What the iPhone 12 tells us about the state of the smartphone industry in 2020 — While the iPhone 12 was no doubt in development long before the current pandemic, the pandemic’s global shutdown has only exacerbated many existing problems for smartphone makers.

Databricks crossed $350M run rate in Q3, up from $200M one year ago — The data analytics company scaled rapidly to put itself on an obvious IPO path.

Dear Sophie: I came on a B-1 visa, then COVID-19 happened. How can I stay? — The latest advice from immigration lawyer Sophie Alcorn.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. And we’re having a fall sale!)

Everything else

NASA loads 14 companies with $370M for ‘tipping point’ technologies — NASA has announced more than a third of a billion dollars’ worth of “Tipping Point” contracts awarded to over a dozen companies pursuing potentially transformative space technologies.

Harley-Davidson should keep making e-motorcycles — That’s Jake Bright’s takeaway after three weeks with the LiveWire e-motorcycle.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Armory nabs $40M Series C as commercial biz on top of open-source Spinnaker project takes off

As companies continue to shift more quickly to the cloud, pushed by the pandemic, startups like Armory that work in the cloud-native space are seeing an uptick in interest. Armory is a company built to be a commercial layer on top of the open-source continuous delivery project Spinnaker. Today, it announced a $40 million Series C.

B Capital led the round, with help from new investors Lead Edge Capital and Marc Benioff along with previous investors Insight Partners, Crosslink Capital, Bain Capital Ventures, Mango Capital, Y Combinator and Javelin Venture Partners. Today’s investment brings the total raised to more than $82 million.

“Spinnaker is an open-source project that came out of Netflix and Google, and it is a very sophisticated multi-cloud and software delivery platform,” company co-founder and CEO Daniel R. Odio told TechCrunch.

Odio points out that this project has the backing of industry leaders, including the three leading public cloud infrastructure vendors Amazon, Microsoft and Google, as well as other cloud players like CloudFoundry and HashiCorp. “The fact that there is a lot of open-source community support for this project means that it is becoming the new standard for cloud-native software delivery,” he said.

In the days before the notion of continuous delivery, companies moved forward slowly, releasing large updates over months or years. As software moved to the cloud, this approach no longer made sense and companies began delivering updates more incrementally, adding features when they were ready. Adding a continuous delivery layer helped facilitate this move.

As Odio describes it, Armory extends the Spinnaker project to help implement complex use cases at large organizations, including around compliance and governance and security. It is also in the early stages of implementing a SaaS version of the solution, which should be available next year.

While he didn’t want to discuss customer numbers, he mentioned JPMorgan Chase and Autodesk as customers, along with less specific allusions to “a Fortune Five technology company, a Fortune 20 Bank, a Fortune 50 retailer and a Fortune 100 technology company.”

The company currently has 75 employees, but Odio says business has been booming and he plans to double the team in the next year. As he does, he says that he is deeply committed to diversity and inclusion.

“There’s actually a really big difference between diversity and inclusion, and there’s a great Vernā Myers quote that diversity is being asked to the party and inclusion is being asked to dance, and so it’s actually important for us not only to focus on diversity, but also focus on inclusion because that’s how we win. By having a heterogeneous company, we will outperform a homogeneous company,” he said.

While the company has moved to remote work during COVID, Odio says they intend to remain that way, even after the current crisis is over. “Now obviously COVID been a real challenge for the world, including us. We’ve gone to a fully remote-first model, and we are going to stay remote-first even after COVID. And it’s really important for us to be taking care of our people, so there’s a lot of human empathy here,” he said.

But at the same time, he sees COVID opening up businesses to move to the cloud and that represents an opportunity for his business, one that he will focus on with new capital at his disposal. “In terms of the business opportunity, we exist to help power the transformation that these enterprises are undergoing right now, and there’s a lot of urgency for us to execute on our vision and mission because there is a lot of demand for this right now,” he said.

DroneDeploy teams with Boston Dynamics to deliver inside-outside view of job site

DroneDeploy, a cloud software company that uses drone footage to help industries like agriculture, oil and gas and construction get a bird’s-eye view of a site to build a 3D picture, announced a new initiative today that combines drone photos with cameras on the ground or even ground robots from a company like Boston Dynamics for what it is calling a 360 Walkthrough.

Up until today’s announcement, DroneDeploy could use drone footage from any drone to get a picture of what a site looked like outside, uploading those photos and stitching them together into a 3D model that is accurate within an inch, according to DroneDeploy CEO Mike Winn.

Winn says that while there is great value in getting this type of view of the outside of a job site, customers were hungry for a total picture that included inside and out, and the platform which is simply processing photos transmitted from drones could be adapted fairly easily to accommodate photos coming from cameras on other devices.

“Our customers are also looking to get data from the interiors, and they’re looking for one digital twin, one digital reconstruction of their entire site to understand what’s going on to share across their company with the safety team and with executives that this is the status of the job site today,” Winn explained.

He adds that this is even more important during COVID when access to job sites has been limited, making it even more important to understand the state of the site on a regular basis.

“They want fewer people on those job sites, only the essential workers doing the work. So for anyone who needs information about the site, if they can get that information from a desktop or the 3D model or a kind of street view of the job site, it can really help in this COVID environment, but it also makes it much more efficient,” Winn said.

He said that while companies could combine this capability with fixed cameras on the inside of a site, they don’t give the kind of coverage a ground robot could, and the Boston Dynamics robot is capable of moving around a rough job site with debris scattered around.

DroneDeploy bird's eye view of job site showing path taken through the site.

Image Credits: DroneDeploy

While Winn sees the use of the Boston Dynamics robot as more of an end goal, he says that more likely for the immediate future you will have a human walking through the job site with a camera to capture the footage to complete the inside-outside picture for the DroneDeploy software.

“All customers already want to adopt robots to collect this data, and you can imagine a Boston Dynamics robot [doing this], but that’s the end state of course. Today we’re supporting the human walk-through as well, a person with a 360 camera walking through the job site, probably doing it once a week to document the status of the job sites,” he said.

DroneDeploy launched in 2013 and has raised more than $100 million, according to Winn. He reports his company has over 5,000 customers, with drone flight time increasing by 2.5x YoY this year as more companies adopt drones as a way to cope with COVID.

Microsoft Patch Tuesday, October 2020 Edition

It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.

Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.

Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).

Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.

“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”

Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.

“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.

While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.

Other patches released today tackle problems in Exchange Server, Visual Studio, .NET Framework, and a whole mess of other core Windows components.

For any of you who’ve been pining for a Flash Player patch from Adobe, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe’s shipped an update that fixes a single — albeit critical — flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.

Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Twilio’s $3.2B Segment acquisition is about helping developers build data-fueled apps

The pandemic has forced businesses to change the way they interact with customers. Whether it’s how they deliver goods and services, or how they communicate, there is one common denominator, and that’s that everything is being forced to be digitally driven much faster.

To some extent, that’s what drove Twilio to acquire Segment for $3.2 billion today. (We wrote about the deal over the weekend. Forbes broke the story last Friday night.) When you get down to it, the two companies fit together well, and expand the platform by giving Twilio customers access to valuable customer data. Chee Chew, Twilio’s chief product officer, says while it may feel like the company is pivoting in the direction of customer experience, they don’t necessarily see it that way.

“A lot of people have thought about us as a communications company, but we think of ourselves as a customer engagement company. We really think about how we help businesses communicate more effectively with their customers,” Chew told TechCrunch.

Laurie McCabe, co-founder and partner at SMB Group, sees the move related to the pandemic and the need companies have to serve customers in a more fully digital way. “More customers are realizing that delivering a great customer experience is key to survive through the pandemic, and thriving as the economy recovers — and are willing to spend to do this even in uncertain times,” McCabe said.

Certainly Chew recognized that Segment gives them something they were lacking by providing developers with direct access to customer data, and that could lead to some interesting applications.

“The data capabilities that Segment has are providing a full view of the customer. It really layers across everything we do. I think of it as a horizontal add across the channels and extending beyond. So I think it really helps us advance in a different sort of way […] towards getting the holistic view of the customer and enabling our customers to build intelligence services on top,” he said.

Brent Leary, founder and principal analyst at CRM Essentials, sees Segment helping to provide a powerful data-fueled developer experience. “This move allows Twilio to impact the data-insight-interaction-experience transformation process by removing friction from developers using their platform,” Leary explained. In other words, it gives developers that ability that Chew alluded to, to use data to build more varied applications using Twilio APIs.

Paul Greenberg, author of CRM at the Speed of Light, and founder and principal analyst at 56 Group, agrees, saying, “Segment gives Twilio the ability to use customer data in what is already a powerful unified communications platform and hub. And since it is, in effect, APIs for both, the flexibility [for developers] is enormous,” he said.

That may be so, but Holger Mueller, an analyst at Constellation Research, says the company has to be seeing that the pure communication parts of the platform like SMS are becoming increasingly commoditized, and this deal, along with the SendGrid acquisition in 2018, gives Twilio a place to expand its platform into a much more lucrative data space.

“Twilio needs more growth path and it looks like its strategy is moving up the stack, at least with the acquisition of Segment. Data movement and data residence compliance is a huge headache for enterprises when they build their next generation applications,” Mueller said.

As Chew said, early on the problems were related to building SMS messages into applications and that was the problem that Twilio was trying to solve because that’s what developers needed at the time, but as it moves forward, it wants to provide a more unified customer communications experience, and Segment should help advance that capability in a big way for them.

Microsoft Uses Trademark Law to Disrupt Trickbot Botnet

Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.

A spam email containing a Trickbot-infected attachment that was sent earlier this year. Image: Microsoft.

“We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog post this morning about the legal maneuver. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Microsoft’s action comes just days after the U.S. military’s Cyber Command carried out its own attack that sent all infected Trickbot systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control them. The roughly 10-day operation by Cyber Command also stuffed millions of bogus records about new victims into the Trickbot database in a bid to confuse the botnet’s operators.

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

From the civil complaint Microsoft filed on October 6 with the U.S. District Court for the Eastern District of Virginia:

“However, they still bear the Microsoft and Windows trademarks. This is obviously meant to and does mislead Microsoft’s customers, and it causes extreme damage to Microsoft’s brands and trademarks.”

“Users subject to the negative effects of these malicious applications incorrectly believe that Microsoft and Windows are the source of their computing device problems. There is great risk that users may attribute this problem to Microsoft and associate these problems with Microsoft’s Windows products, thereby diluting and tarnishing the value of the Microsoft and Windows trademarks and brands.”

Microsoft said it will leverage the seized Trickbot servers to identify and assist Windows users impacted by the Trickbot malware in cleaning the malware off of their systems.

Trickbot has been used to steal passwords from millions of infected computers, and reportedly to hijack access to well more than 250 million email accounts from which new copies of the malware are sent to the victim’s contacts.

Trickbot’s malware-as-a-service feature has made it a reliable vehicle for deploying various strains of ransomware, locking up infected systems on a corporate network unless and until the company agrees to make an extortion payment.

A particularly destructive ransomware strain that is closely associated with Trickbot — known as “Ryuk” or “Conti” — has been responsible for costly attacks on countless organizations over the past year, including healthcare providers, medical research centers and hospitals.

One recent Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider that operates more than 400 facilities in the U.S. and U.K.

On Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid to stop the spread of the malware. The disruption caused some of the affected hospitals to redirect ambulances and relocate patients in need of surgery to other nearby hospitals.

Microsoft said it did not expect its action to permanently disrupt Trickbot, noting that the crooks behind the botnet will likely make efforts to revive their operations. But so far it’s not clear whether Microsoft succeeded in commandeering all of Trickbot’s control servers, or when exactly the coordinated seizure of those servers occurred.

As the company noted in its legal filings, the set of Internet address used as Trickbot controllers is dynamic, making attempts to disable the botnet more challenging.

Indeed, according to real-time information posted by Feodo Tracker, a Swiss security site that tracks Internet servers used as controllers for Trickbot and other botnets, nearly two dozen Trickbot control servers — some of which first went active at beginning of this month — are still live and responding to requests at the time of this publication.

Trickbot control servers that are currently online. Source: Feodotracker.abuse.ch

Cyber intelligence firm Intel 471 says fully taking down Trickbot would require an unprecedented level of collaboration among parties and countries that most likely would not cooperate anyway. That’s partly because Trickbot’s primary command and control mechanism supports communication over The Onion Router (TOR) — a distributed anonymity service that is wholly separate from the regular Internet.

“As a result, it is highly likely a takedown of the Trickbot infrastructure would have little medium- to long-term impact on the operation of Trickbot,” Intel 471 wrote in an analysis of Microsoft’s action.

What’s more, Trickbot has a fallback communications method that uses a decentralized domain name system called EmerDNS, which allows people to create and use domains that cannot be altered, revoked or suspended by any authority. The highly popular cybercrime store Joker’s Stash — which sells millions of stolen credit cards — also uses this setup.

From the Intel 471 report [malicious links and IP address defanged with brackets]:

“In the event all Trickbot infrastructure is taken down, the cybercriminals behind Trickbot will need to rebuild their servers and change their EmerDNS domain to point at their new servers. Compromised systems then should be able to connect to the new Trickbot infrastructure. Trickbot’s EmerDNS fall-back domain safetrust[.]bazar recently resolved to the IP address 195.123.237[.]156. Not coincidentally, this network neighborhood also hosts Bazar malware control servers.”

“Researchers previously attributed the development of the Bazar malware family to the same group behind Trickbot, due to code similarities with the Anchor malware family and its methods of operation, such as shared infrastructure between Anchor and Bazar. On Oct. 12, 2020 the fall-back domain resolved to the IP address 23.92.93[.]233, which was confirmed by Intel 471 Malware Intelligence systems to be a Trickbot controller URL in May 2019. This suggests the fall-back domain is still controlled by the Trickbot operators at the time of this report.”

Intel 471 concluded that the Microsoft action has so far has done little to disrupt the botnet’s activity.

“At the time of this report, Intel 471 has not seen any significant impact on Trickbot’s infrastructure and ability to communicate with Trickbot-infected systems,” the company wrote.

The legal filings from Microsoft are available here.

Update, 9:51 a.m. ET: Feodo Tracker now lists just six Trickbot controllers as responding. All six were first seen online in the past 48 hours. Also added perspective from Intel 471.