Europol takes down 'dangerous' Emotet botnet

Europol has led international efforts to disrupt the Emotet botnet, killing off one of the most prevalent and dangerous global cyber security threats.

Investigators from Europol and nations including the UK, US, and France seized control of several hundred servers that comprised Emotet’s infrastructure this week.

Through coordinated action, law enforcement and judicial authorities gained control of the malware's infrastructure and "took it down from the inside", authorities announced on Wednesday. Victims infected with the malware will now be redirected to law enforcement-controlled landing pages.

The UK's National Crime Agency (NCA) confirmed it had worked with international colleagues for nearly two years to map the infrastructure of Emotet. The takedown was launched yesterday, and the operation included the searches of properties in Ukraine. Europol described these actions as a unique and new approach to disrupt the activities of cyber criminals.

The NCA led the financial arm of the investigation, which included tracking how the criminal network was funded, and who was profiteering. They learned $10.5 million (approximately £7.7 million) had moved over a two-year period to just one cryptocurrency platform, while $500,000 (roughly £366,000) had been spent on maintaining its infrastructure.

The world's most wanted

This operation is highly significant considering how prevalent and dangerous the Emotet botnet was considered. The threat was once a mere banking Trojan when it was conceived in 2014, but would eventually mutate into a notorious distributor for other strains. This ‘loader’ malware has also been behind other infamous threats including Qbot, TrickBot, and the rampant Ryuk ransomware.

Research published this month showed Emotet was used to target 100,000 users per day over December 2020, impacting 7% of organisations around the world during this period.

“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and Ryuk, which have had significant economic impact on UK businesses," said deputy director of the National Cyber Crime Unit, Nigel Leary.

"This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically."

Emotet used various methods to avoid detection, and deployed techniques to stay persistent. For example, it was able to infect entire corporate networks by spreading laterally after gaining access to just a few devices.

Through an automated process, Emotet was delivered to victims’ devices through infected email attachments, in combination with a variety of lures. These have included fake invoices, shipping notices, and information about COVID-19.

The emails all contained malicious Word documents either in the email itself, or accessible through a link. Once opened, users would be prompted to “enable macros” so the malicious code hidden in the file could run, and install Emotet malware.

The cyber criminals behind Emotet would then effectively sell access to compromised victims to other threat groups, who would use Emotet as a vehicle to launch their own attacks. These might include banking Trojans or ransomware strains.

Beware the botnet's resurrection

Stefano De Blasi, a threat researcher with Digital Shadows, welcomed news of the “proactive” operation but warned businesses should not become complacent.

US Cyber Command, for example, took down Trickbot in October last year, but the security threat has recently re-emerged in the shape of a far more persistent strain.

“The "new and unique approach" of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer downtime for Emotet,” De Blasi said.

“Nonetheless, it is crucial to highlight that despite the infrastructure takeover conducted by law enforcement, it is unlikely that Emotet will cease to exist after this operation. Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure - just like the TrickBot operators did after the aforementioned operation.”

This is the latest example of law enforcement action against prominent cyber threats, with Europol earlier this month also coordinating efforts to take down the world’s largest dark web marketplace. The operation, which also included the UK’s National Crime Agency (NCA), put a halt to illegal trade valued at approximately £125 million.

Only this week, meanwhile, the US Department of Justice (DoJ) launched action against the platform hosting the infamous NetWalker ransomware, disrupting its operations and seizing $500,000 (roughly £366,000). The scale of the NetWalker threat exploded last year due to its ‘as a service’ expansion, with the group offering its tools for sale over the dark web.