Emotet malware taken down by global law enforcement effort

The infamous botnet has been disrupted thanks to an international effort across the US, Canada, and several European nations.

malware in a computer system

Image: kaptnali, Getty Images/iStockphoto

One of the most pervasive, dangerous, and disruptive malicious botnets is out of business, at least for now.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

The takedown

More about cybersecurity

On Tuesday, the European Union Agency for Law Enforcement Cooperation (Europol) announced that the Emotet botnet has been disrupted as a result of efforts from law enforcement and judicial authorities across several countries. As part of a coordinated action, investigators have taken control of Emotet’s infrastructure, effectively putting a halt to its malicious activities.

Emotet’s infrastructure consisted of several hundred servers located around the world, according to Europol. Each server individually and together helped the attackers behind the operation manage infected computers, spread the malware to new victims, serve other criminal groups, and strengthen their network against takedown attempts.

Many countries participated in the takedown effort, specifically the Netherlands, Germany, France, Lithuania, Canada, the US, the UK, and Ukraine. Many law enforcement agencies and judicial bodies across these nations played a role, including the Judicial Court of Paris in France, the Federal Criminal Police in Germany, the Royal Canadian Mounted Police in Canada, the National Crime Agency in the UK, and the FBI and Department of Justice in the US.

Private companies also played a key part in the takedown. As one example, threat intelligence company Team Cymru partnered with the FBI to help pull off the operation. In a released statement, the firm said that it detailed and validated the IP addresses of Emotet’s Tier 1 controllers and recruited the necessary network operators to help with the takedown.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

By disrupting Emotet’s infrastructure from the inside, the participating bodies were able to redirect the computers of people victimized by Emotet to an infrastructure controlled by law enforcement. Europol called the effort a new and unique way to disrupt the activities of cybercriminals.

Emotet’s background

Emotet was first discovered in 2014 as a banking trojan in which it was used to steal bank account credentials and financial information from those it infected. Over the years, however, the botnet grew into a more go-to product for cybercriminals, and a growing threat to individuals and organizations.

The people behind Emotet started to offer it for hire to other criminals as a way to install different types of malware, including banking trojans and ransomware. Known as a “loader” operation, this type of attack turned Emotet is one of the most infamous and well-known threats in cybercrime, paving the way for other operations such as TrickBot and Ryuk.

SEE: Bad actors launched an unprecedented wave of DDoS attacks in 2020 (TechRepublic)

Emotet typically found its way to computers through infected files sent via email. In these cases, the email messages came with malicious Microsoft Word documents either attached to the message or available for download via a link. After opening such a document, the recipient is asked to enable macros so that the malicious code in the file could activate and install Emotet on the computer.

To trick unsuspecting users into triggering the malware, Emotet campaigns have used such tactics as phony invoices, fake shipping notices, and supposed information about COVID-19. As part of the takedown operation, Dutch police seized the email addresses, usernames, and passwords compromised by Emotet. Anyone curious to see if their email address was stolen by the botnet can fill out a form offered by the Dutch police department.

“The Emotet botnet, which lures victims through phishing emails, in 2020 alone sent emails with over 150,000 different subjects lines and more than 100,000 different file names,” said Lotem Finkelsteen, head of threat intelligence at Check Point Software. “It constantly adjusted its phishing emails to victims’ interests and global events. Emotet activity peaked this year during August to October with an average of 25,000 different file names spotted each month.”

SEE: How ghost accounts could leave your organization vulnerable to ransomware (TechRepublic)

But the number of Emotet emails dropped toward the end of 2020, which Finkelsteen believes may have been due to the global law enforcement effort. Over the past two months, Emotet communications with its Command and Control server declined by 40% from their peak period, Finkelsteen added.

Is Emotet truly gone?

Even after a successful takedown, cybercriminals have a habit of resurfacing in clever and unexpected ways. And the same could easily hold true for Emotet.

“Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever,” Brandon Hoffman, chief information security officer at security firm Netenrich, told TechRepublic. “Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods.”

SEE: How asset management companies are vulnerable to ransomware and phishing attacks (TechRepublic)   

The international effort to disrupt Emotet is certainly to be applauded. But in the seven years the botnet operated, it caused significant damage and disruption. Combatting these types of global threats will need more ongoing and speedier global initiatives.

“We’ve got to aspire to more international cooperation for cybersecurity plus better response time,” Hitesh Sheth, president and CEO at security firm Vectra, told TechRepublic. “None of us knows how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”

Further, now isn’t the time for companies to sit back and relax, according to Dirk Schrader, global VP at cybersecurity provider New Net Technologies. Schrader advises companies to use this pause with Emotet to reenforce their defenses and verify whether all key security controls are in place. That means following at least the top five CIS (Center for Internet Security) controls–inventorying hardware and software, identifying and managing vulnerabilities, controlling administrative privileges, and securing hardware and software on PCs and mobile devices.

Also see