Europol takes down 'dangerous' Emotet botnet

Experts urge businesses to stay vigilant as it's unlikely Emotet is down for good

Europol has led international efforts to disrupt the Emotet botnet, killing off one of the most prevalent and dangerous global cyber security threats.

Investigators from Europol and nations including the UK, US, and France seized control of several hundred servers that comprised Emotet’s infrastructure this week.

Through coordinated action, law enforcement and judicial authorities gained control of the malware's infrastructure and "took it down from the inside", authorities announced on Wednesday. Victims infected with the malware will now be redirected to law enforcement-controlled landing pages.

The UK's National Crime Agency (NCA) confirmed it had worked with international colleagues for nearly two years to map the infrastructure of Emotet. The takedown was launched yesterday, and the operation included the searches of properties in Ukraine. Europol described these actions as a unique and new approach to disrupt the activities of cyber criminals.

The NCA led the financial arm of the investigation, which included tracking how the criminal network was funded, and who was profiteering. They learned $10.5 million (approximately £7.7 million) had moved over a two-year period to just one cryptocurrency platform, while $500,000 (roughly £366,000) had been spent on maintaining its infrastructure.

The world's most wanted

This operation is highly significant considering how prevalent and dangerous the Emotet botnet was considered. The threat was once a mere banking Trojan when it was conceived in 2014, but would eventually mutate into a notorious distributor for other strains. This ‘loader’ malware has also been behind other infamous threats including Qbot, TrickBot, and the rampant Ryuk ransomware.

Research published this month showed Emotet was used to target 100,000 users per day over December 2020, impacting 7% of organisations around the world during this period.

“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and Ryuk, which have had significant economic impact on UK businesses," said deputy director of the National Cyber Crime Unit, Nigel Leary.

"This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically."

Emotet used various methods to avoid detection, and deployed techniques to stay persistent. For example, it was able to infect entire corporate networks by spreading laterally after gaining access to just a few devices.

Related Resource

How LogPoint uses MITRE ATT&CK

Stronger cyber security with MITRE ATT&CK

How to improve your cyber security with MITRE ATT&CK - A LogPoint whitepaperDownload now

Through an automated process, Emotet was delivered to victims’ devices through infected email attachments, in combination with a variety of lures. These have included fake invoices, shipping notices, and information about COVID-19.

The emails all contained malicious Word documents either in the email itself, or accessible through a link. Once opened, users would be prompted to “enable macros” so the malicious code hidden in the file could run, and install Emotet malware.

The cyber criminals behind Emotet would then effectively sell access to compromised victims to other threat groups, who would use Emotet as a vehicle to launch their own attacks. These might include banking Trojans or ransomware strains.

Beware the botnet's resurrection

Stefano De Blasi, a threat researcher with Digital Shadows, welcomed news of the “proactive” operation but warned businesses should not become complacent.

US Cyber Command, for example, took down Trickbot in October last year, but the security threat has recently re-emerged in the shape of a far more persistent strain.

“The "new and unique approach" of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer downtime for Emotet,” De Blasi said.

“Nonetheless, it is crucial to highlight that despite the infrastructure takeover conducted by law enforcement, it is unlikely that Emotet will cease to exist after this operation. Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure - just like the TrickBot operators did after the aforementioned operation.”

This is the latest example of law enforcement action against prominent cyber threats, with Europol earlier this month also coordinating efforts to take down the world’s largest dark web marketplace. The operation, which also included the UK’s National Crime Agency (NCA), put a halt to illegal trade valued at approximately £125 million.

Only this week, meanwhile, the US Department of Justice (DoJ) launched action against the platform hosting the infamous NetWalker ransomware, disrupting its operations and seizing $500,000 (roughly £366,000). The scale of the NetWalker threat exploded last year due to its ‘as a service’ expansion, with the group offering its tools for sale over the dark web.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021