Law Enforcement Operation Disrupts Notorious Emotet BotnetAuthorities Gain Control of Hundreds of Servers, Disrupting Cybercrime Operation
A multinational law enforcement operation has disrupted the Emotet botnet's infrastructure by gaining control of hundreds of servers, reports the EU's law enforcement intelligence agency, Europol.
Authorities also redirected computers previously infected by Emotet to servers operated by law enforcement agencies, Europol says, to help arrest the infections.
"This was big crime, and this is a big success for law enforcement, especially across borders," says Alan Woodward, a visiting computer science professor at the University of Surrey and cybersecurity adviser to Europol. "This was a huge blow: It’s a major dent in this malware’s ability to cause more harm."
Some cybersecurity experts, however, expect that some version of Emotet will eventually rebound following the takedown effort.
Meanwhile, U.S. and Bulgarian authorities have seized servers and disrupted the infrastructure and darknet websites of the NetWalker ransomware gang. They’ve also made one arrest (see: Another Takedown: NetWalker Ransomware Gang Disrupted).
Emotet's Early Life as a Banking Trojan
Europol describes Emotet as “one of the most professional and long-lasting cybercrime services.” First discovered operating as a banking Trojan in 2014, the botnet “evolved into the go-to solution for cybercriminals over the years," the law enforcement agency says.
Emotet's operators used the botnet to gain entry into organizations worldwide and then sold that access to other cybercrime gangs, who used it for their own nefarious purposes, such as delivering ransomware and banking Trojans, according to Europol and security researchers.
The Emotet gang used a fully automated phishing campaign to send emails that are socially engineered to appeal to the recipients. The messages contained a malicious attachment that, when opened, installed malware, Europol says.
After being dormant for several months last year, Emotet reappeared in December 2020 with a new campaign, according to security firm Cofense. The latest campaign delivered Trickbot malware (see: Emotet Botnet Returns After 2-Month Hiatus).
Takedown Effort Results in Arrests
This week, an eight-nation law enforcement team, coordinated by Europol, launched an operation to take down Emotet.
"The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups and to ultimately make the network more resilient against takedown attempts," Europol says.
Ukrainian authorities launched raids in connection with the operation against the botnet-based enterprise. "The law enforcement operation took place on Tuesday, resulting in the arrest of several Ukrainian nationals allegedly responsible for running the botnet’s infrastructure," threat-intelligence firm Intel 471 says in a blog post.
A longer video released by National Police of Ukraine: https://t.co/COyK3SXotX— Sigma Smoke (@SigmaSmoke) January 27, 2021
Law enforcement agencies involved in the takedown hailed from United Kingdom, the Netherlands, Germany, France, Lithuania, Ukraine, the U.S. and Canada.
How Long Might Disruption Last?
The disruption effort will pose serious short-term problems for the Emotet gang, but the group is likely to eventually reemerge, says Jason Meurer, who's a senior research engineer at Cofense.
“I expect they will be down for a bit due to a few arrests in Ukraine, possibly the U.S. and other countries,” he says. “But barring the main group deciding to retire, they will likely be back at some point.”
Some experts say the disruption could have a long-term impact. "This latest Europol operation holds the promise of having caused severe disruption to Emotet's networks and command-and-control infrastructure and given authorities the ability to look deep inside the organization - possibly enabling authorities to keep Emotet down for a long period of time," says Stefano De Blasi, a threat researcher at Digital Shadows.
But he adds that “it is unlikely that Emotet will cease to exist after this operation" because botnets are “extremely versatile.”
Botnets Often Bounce Back
Indeed, other hacking groups operating malicious services have proven to be all too resilient despite law enforcement efforts to shutter their operations.
In October 2020, for example, Microsoft and federal agencies disrupted the Trickbot operation (see: Microsoft, Others Dismantle Trickbot Botnet). Within several weeks, however, the gang behind Trickbot was able to start rebuilding its network (see: Trickbot Rebounds After 'Takedown').
Similarly, someone might now carry the Emotet banner forward, whatever their previous connection to the gang. "Oftentimes groups like this tend to be composed of members spread across different countries, some of which may not be so open to cooperating with international law enforcement," Intel 471 says. "This leaves open the possibility that someone will simply take the code and rebuild."
Even if that happens, however, experts say the operation has been dealt a serious blow. "The effort is a shining example of what needs to be done in order to have any real impact on these organized cybercrime groups," Intel 471 says. "The difference between disruption and takedown boils down to criminals being put in handcuffs. It’s the pinnacle of a takedown operation and the only way to have a long-term impact on the health and safety of the internet."
Executive Editor Mathew Schwartz contributed to this story.