Europol takes down 'dangerous' Emotet botnet

Experts urge businesses to stay vigilant as it's unlikely Emotet is down for good

Europol has led international efforts to disrupt the Emotet botnet, killing off one of the most prevalent and dangerous global cyber security threats.

Investigators from Europol and nations including the UK, US, and France seized control of several hundred servers that comprised Emotet’s infrastructure this week.

Through coordinated action, law enforcement and judicial authorities gained control of the malware's infrastructure and "took it down from the inside", authorities announced on Wednesday. Victims infected with the malware will now be redirected to law enforcement-controlled landing pages.

The UK's National Crime Agency (NCA) confirmed it had worked with international colleagues for nearly two years to map the infrastructure of Emotet. The takedown was launched yesterday, and the operation included the searches of properties in Ukraine. Europol described these actions as a unique and new approach to disrupt the activities of cyber criminals.

The NCA led the financial arm of the investigation, which included tracking how the criminal network was funded, and who was profiteering. They learned $10.5 million (approximately £7.7 million) had moved over a two-year period to just one cryptocurrency platform, while $500,000 (roughly £366,000) had been spent on maintaining its infrastructure.

The world's most wanted

This operation is highly significant considering how prevalent and dangerous the Emotet botnet was considered. The threat was once a mere banking Trojan when it was conceived in 2014, but would eventually mutate into a notorious distributor for other strains. This ‘loader’ malware has also been behind other infamous threats including Qbot, TrickBot, and the rampant Ryuk ransomware.

Research published this month showed Emotet was used to target 100,000 users per day over December 2020, impacting 7% of organisations around the world during this period.

“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and Ryuk, which have had significant economic impact on UK businesses," said deputy director of the National Cyber Crime Unit, Nigel Leary.

"This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically."

Emotet used various methods to avoid detection, and deployed techniques to stay persistent. For example, it was able to infect entire corporate networks by spreading laterally after gaining access to just a few devices.

Related Resource

How LogPoint uses MITRE ATT&CK

Stronger cyber security with MITRE ATT&CK

How to improve your cyber security with MITRE ATT&CK - A LogPoint whitepaperDownload now

Through an automated process, Emotet was delivered to victims’ devices through infected email attachments, in combination with a variety of lures. These have included fake invoices, shipping notices, and information about COVID-19.

The emails all contained malicious Word documents either in the email itself, or accessible through a link. Once opened, users would be prompted to “enable macros” so the malicious code hidden in the file could run, and install Emotet malware.

The cyber criminals behind Emotet would then effectively sell access to compromised victims to other threat groups, who would use Emotet as a vehicle to launch their own attacks. These might include banking Trojans or ransomware strains.

Beware the botnet's resurrection

Stefano De Blasi, a threat researcher with Digital Shadows, welcomed news of the “proactive” operation but warned businesses should not become complacent.

US Cyber Command, for example, took down Trickbot in October last year, but the security threat has recently re-emerged in the shape of a far more persistent strain.

“The "new and unique approach" of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer downtime for Emotet,” De Blasi said.

“Nonetheless, it is crucial to highlight that despite the infrastructure takeover conducted by law enforcement, it is unlikely that Emotet will cease to exist after this operation. Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure - just like the TrickBot operators did after the aforementioned operation.”

This is the latest example of law enforcement action against prominent cyber threats, with Europol earlier this month also coordinating efforts to take down the world’s largest dark web marketplace. The operation, which also included the UK’s National Crime Agency (NCA), put a halt to illegal trade valued at approximately £125 million.

Only this week, meanwhile, the US Department of Justice (DoJ) launched action against the platform hosting the infamous NetWalker ransomware, disrupting its operations and seizing $500,000 (roughly £366,000). The scale of the NetWalker threat exploded last year due to its ‘as a service’ expansion, with the group offering its tools for sale over the dark web.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now


Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
New malware uses search engine ads to target pirate gamers

New malware uses search engine ads to target pirate gamers

21 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

The benefits of workload optimisation

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021