And now a global law enforcement operation says they’ve seized control of it.
On Wednesday, Europol announced that a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine disrupted the prolific Emotet malware operation by taking control of its infrastructure.
“Law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime,” Europol said in its announcement.
This should be a significant blow to their operations, possibly the most important botnet takedown [in years].”—Costin Raiu, director of Kaspersky’s global research and analysis team.
A video shared on YouTube by Ukraine’s National Police shows law enforcement officers raiding a run-down building and seizing computer devices, stacks of hundred-dollar bills, passports, and what appears to be dozens of gold bars. They also announced the arrest of two Ukranian citizens who are accused of helping maintain the operation and face up to 12 years in prison. Dutch police said they launched a website that lets users check to see if their email address is compromised by Emotet.
Cybersecurity researchers said the efforts would likely have a major impact on slowing down or halting the operation.
“The joint takedown of the Emotet network is significant. Unlike recent botnet takedown attempts (eg. Trickbot), which were exclusively virtual, this time it’s different with the physical action against the cybercriminals running it,” Costin Raiu, director of Kaspersky’s global research and analysis team, told The Record. “I suspect the arrests, coupled with the joint, coordinated action from multiple law enforcement agencies against their network infrastructure will have a significant impact on Emotet.”
Late last year, Microsoft used trademark law to disrupt Trickbot, and U.S. Cyber Command also launched an effort to take it down. Those efforts created hurdles for the operation, but did not dismantle it completely.
It’s unclear if the same thing could happen to Emotet—Levi Gundert, senior vice president of global intelligence at Recorded Future said the leaders of the operation are believed to be in Russia with significant resources. “They will quickly rebuild their infrastructure,” he said.
“Since it is possible that maybe not all the cybercriminals behind Emotetwere arrested, it remains to be seen if they will be able to execute a comeback, be it as Emotet, or merge with another group and continue from there. In all cases, this should be a significant blow to their operations, possibly the most important botnet takedown during the past years,” said Raiu.
Emotet was first identified as a banking trojan in 2014, first as a standalone threat and then as a distributor of other trojans. It is commonly spread through malicious spam emails containing an attached Microsoft Word or Excel document. Although the spam emails vary in content, they often involve a requested payment or a delivery notification for tracking shipments.
Emotet relies on volume to generate new infections—operators don’t seem to target specific industries or regions, according to Recorded Future research. And it acts as a computer worm: Infected hosts become part of the spam botnet that is used to further spread Emotet via spam emails.In October, CISA warned of an uptick in Emotet activity, and that it’s “Einstein” intrusion detection system, which protects federal, civilian executive branch networks, detected roughly 16,000 alerts related to Emotet activity since July.