International law enforcement effort pulls off Emotet botnet takedown

Law enforcement and judicial authorities worldwide have effected a global takedown of the Emotet botnet, Europol announced today.

Emotet takedown

“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware. Investigators have now taken control of its infrastructure in an international coordinated action,” they explained.

The Emotet takedown

The Emotet takedown has included Europol, Eurojust, and authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine.

“The criminal organization behind Emotet distributed the malware through an extensive and complex network of hundreds of servers. Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay,” the Dutch police explained.

“An in-depth and innovative criminal investigation eventually mapped the entire infrastructure. Two of the three main servers turned out to be located in the Netherlands, the third abroad. This week we managed to take control of this network and deactivate the Emotet malware. A software update is placed on the Dutch central servers for all infected computer systems. All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined. The police have used their hacking powers to penetrate and investigate Emotet’s cyber-criminal infrastructure. It was necessary to take action simultaneously in all countries concerned in order to be able to effectively dismantle the network and thwart any reconstruction of it.”

The German Federal Criminal Police said that “as part of the legal assistance measures in Ukraine, control of the Emotet infrastructure was taken over from one of the alleged operators.”

The Ukranian Cyberpolice said it identified two Ukrainian citizens who ensured the proper functioning of the Emotet infrastructure and that other members of an international hacker group who used the Emotet infrastructure to conduct cyberattacks have also been identified and measures are being taken to detain them.

A few years ago, Trend Micro researchers revealed that Emotet gang had set up two command and control infrastructures to make the botnet resilient to takedowns. Time will tell if this latest action will result in a significant or total crippling of the botnet.

The Emotet threat

“The Emotet group managed to take email as an attack vector to a next level,” Europol noted.

They used different lures to trick unsuspecting users into opening malicious Word documents. The targets were then prompted to “enable macros” so that the malicious code hidden in the Word file could run and install the Emotet malware on a victim’s computer.

The Emotet gang was often hired by other cyber crooks to deliver additional malware on the target systems, most often TrickBot and Ryuk.

“Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild,” Europol noted.

The infected machines of the victims have now been redirected towards the law enforcement-controlled infrastructure. The Dutch National Police has also managed to grab a database containing e-mail addresses, usernames and passwords stolen by Emotet, and have provided a web page into which those who suspect they’ve been compromised can enter their email address to check.

“As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” Europol concluded.

Don't miss