The world’s most prolific and dangerous malware botnet has been taken down following a global law enforcement operation that was two years in planning.
Europol, the FBI, the UK’s National Crime Agency and others coordinated action which has resulted investigators taking control of the infrastructure controlling Emotet in one of the most significant disruptions of cyber-criminal operations in recent years.
Emotet first emerged as banking trojan in 2014 but evolved into one of the most powerful forms of malware used by cyber criminals.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware – regular themes include invoices, shipping notices and information about COVID-19.
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.
It resulted in Emotet becoming what Europol describes as “the world’s most dangerous malware” and “one of the most significant botnets of the past decade”, with operations like Ryuk ransomware and TrickBot banking trojan hiring access to machines compromised by Emotet in order to install their own malware.
The takedown of Emotet, therefore, represents one of the most significant actions against a malware operation and cyber criminals in recent years.
“This is probably one of the biggest operations in terms of impact that we have had recently and we expect it will have an important impact,” Fernando Ruiz, head of operations at Europol’s European Cybercrime Centre (EC3) told ZDNet. “We are very satisfied.”
A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.
Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.
“Emotet was our number one threat for a long period and taking this down will have an important impact. Emotet is involved in 30% of malware attacks; a successful takedown will have an important impact on the criminal landscape,” said Ruiz.
“We expect it will have an impact because we’re removing one of the main droppers in the market – for sure there will be a gap that other criminals will try to fill, but for a bit of time this will have a positive impact for cybersecurity,” he added.
The investigation into Emotet also uncovered a database of stolen email addresses, usernames and passwords. People can check if their email address has been compromised by Emotet by visiting the Dutch National Police website.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Europol is also working with Computer Emergency Response Teams (CERTs) around the world to help those known to be infected with Emotet.
In order to help protect against malware threats like Emotet, Europol recommends using anti-virus tools along with fully updated operating systems and software – so cyber criminals can’t exploit known vulnerabilities to help deliver malware. It’s also recommended that users are trained in cybersecurity awareness to help identify phishing emails.
The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.
The investigation into Emotet, and identifying the cyber criminals responsible for running it, is still ongoing.