chalabala - Fotolia

Emotet botnet goes offline as cops seize servers

The Emotet botnet has been disrupted and knocked offline after a major international effort by law enforcement

The Emotet botnet, one of the most widespread and dangerous cyber threats in operation today, has been forced offline in an international law enforcement operation by police on both sides of the Atlantic.

The botnet’s infrastructure was taken down from the inside after being seized earlier this week in the Europol-coordinated operation. At the time of writing, the infected machines of Emotet’s victims are now being redirected to – or sinkholed within – this police-controlled infrastructure, which means it effectively poses no threat at this point because cyber criminals cannot access the machines, and further infections cannot spread.

“The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts,” said Europol in a statement.

“To severely disrupt the Emotet infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. This is a unique and new approach to effectively disrupt the activities of the facilitators of cyber crime.”

First discovered as a fairly run-of-the-mill banking trojan back in 2014, Emotet evolved over the years into one of the most professional and resilient cyber crime services in the world, and became a “go-to” solution for cyber criminals.

Its infrastructure acted as a mechanism to gain access to target systems, which was done via an automated spam email process that delivered Emotet malware to its victims via malicious attachments, often shipping notices, invoices and, since last spring, Covid-19 information or offers. If opened, victims would be promoted to enable macros that allowed malicious code to run and instal Emotet.

This done, Emotet’s operators then sold access on to other cyber criminal groups as a means to infiltrate their victims, steal data, and drop malware and ransomware. The operators of TrickBot and Ryuk were among the many users of Emotet.

In a sign of how professionalised the cyber criminal world has become in recent years, its operators were particularly noted for taking time off, often around major holidays, to refresh both themselves and their operation.

Read more about Emotet

  • The current resurgence of Emotet is attracting attention as governments issue new warnings and cyber criminals rush to exploit the chaotic US election.
  • Malware distribution network Emotet has been hacked by a potential threat actor of unknown origin, with malware payloads now being replaced with GIFs of James Franco and others.
  • Cybereason sounds off on the recently discovered ‘triple threat’ campaign and highlights interesting features of the attack technique used by cyber criminals.

As part of the investigation conducted by Dutch national police, a recovered database of emails, usernames and passwords stolen by Emotet has been made available and distributed worldwide via national computer emergency response teams (Certs). If you are interested to learn if your data is contained in this trove, you can enter your details here.

The UK's National Crime Agency provided support through the tracking of illicit funds being moved by the Emotet gang, with $10.5m being moved over two-years via one virtual currency platform. The agency said that the group also spent approximately $500,000 over the same period to maintain its operation. It also assisted in the identification of some of the servers used.

“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses,” said Nigel Leary, deputy director of the NCA's Cyber Crime unit.

“Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.

“This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically,” said Leary.

“Using our international reach, the NCA will continue to work with partners to identify and apprehend those responsible for propagating Emotet Malware and profiting from its criminality,” he added.

Investigators from Canada, France, Germany, Lithuania, the Netherlands, Ukraine, and the US also took part in the operation.

Users can best protect themselves from falling victim to threats such as Emotet by paying more attention to basic cyber security hygiene, particularly around falling victim to phishing emails. This advice, as always, includes not opening or clicking on attachments you weren’t expecting, double checking with supply chain partners if an unexpected invoice arrives, being suspicious of spelling errors and lookalike sender addresses, and so on.

Beyond that, up-to-date antivirus and fully patched operating systems are also highly recommended.

Read more on Hackers and cybercrime prevention