Global Law Enforcement Effort Takes Down EMOTET
Global law enforcement agencies came together to take down one of the most significant botnets in the world: EMOTET, responsible for distributing the EMOTET malware. Canada, France, Germany, Lithuania, The Netherlands, the United Kingdom, the United States, and Ukraine all worked with Europol as part of Operation Ladybird to dismantle the botnet, which distributed malware to conduct ransomware attacks and more.
“EMOTET has been one of the most professional and long-lasting cybercrime services out there,” according to a press release from Europol. “First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorized access was established, these were sold to other top-level criminal groups to deploy further illicit activities such as data theft and extortion through ransomware.”
🤔How did Emotet infect its unsuspecting victims? pic.twitter.com/zx5ZBWql4j— Europol (@Europol) January 27, 2021
FBI agents gained access to EMOTET servers located overseas and identified approximately 1.6 million computers worldwide that were infected with EMOTET malware between 1 April 2020 and 17 January 2021; more than 45,000 of those computers were located in the United States, according to a U.S. Department of Justice (DOJ) press release. Ukrainian law enforcement estimates that EMOTET has caused $2.5 billion in damage, according to an analysis from WIRED.
After gaining access to the EMOTET servers, law enforcement was able to replace the malware on those servers with files that would prevent the EMOTET botnet from communicating further with the computers it had infected. Ukrainian law enforcement also raided an apartment and collected computer equipment as part of the takedown, along with arresting two individuals who have not been named.
“The law enforcement file does not remediate other malware that was already installed on the infected computer through EMOTET; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet,” the DOJ explained.
Emotet, big bad botnet, disrupted. https://t.co/CUnXgh36RP One participant says this is not a short-term setback: "We found their backups...we took all of them. It’s going to be very hard for them to recover, and even if they do, we have other tools up our sleeve to combat that."— Andy Greenberg (@a_greenberg) January 27, 2021
A security researcher who participated in the takedown spoke with WIRED and said that the law enforcement operation also monitored EMOTET’s backup process to disrupt potential recovery efforts.
“We found their backups and how they use them, and we took all of them,” the researcher said. “It’s going to be very hard for them to recover, and even if they do, we have other tools up our sleeve to combat that.”
Organizations that were impacted by the EMOTET malware should use this moment to scan their systems and conduct some “cleanup as soon as possible,” said MalwareTech, Marcus Hutchins, a cybersecurity researcher at Kryptos Logic, in a tweet. “Whilst EMOTET itself is inoperable, other threats it has previously loaded such as TrickBot and QakBot remain active. These infections lead to ransomware such as Ryuk and Egregor.”
It's important that organizations perform cleanup as soon as possible. Whilst Emotet itself is inoperable, other threats it has previously loaded such as TrickBot and QakBot remain active. These infections often lead to ransomware such as Ryuk and Egregor.— MalwareTech (@MalwareTechBlog) January 27, 2021
Besides posing a security threat to organizations, EMOTET also imposed a significant cost to victims—including U.S. state, local, tribal, and territorial governments. Estimates from the U.S. Department of Homeland Security (DHS) in 2018 said that EMOTET infections cost these government entities up to $1 million per incident to remediate.
The Dutch National Police created a website that allows anyone to check to see if their email address, username, or password was compromised by EMOTET administrators. You can find that information here: https://www.politie.nl/emocheck.