Europol, the FBI and law enforcement agencies around the world, including Canada, the Netherlands, France, Germany, Lithuania, the United Kingdom and Ukraine, conducted a large-scale coordinated operation of Emotet botnet elimination. Preparations for it lasted two years.
Emotet dates back to 2014 and has become one of the most active malware threats in recent years. The malware was distributed mainly via email spam and malicious documents such as Word, Excel, and so on.“Such letters could be disguised as invoices, waybills, account security warnings, party invitations or information about the spread of the coronavirus. In short, hackers closely followed the global trends and constantly improved the decoy letters”, – explain researchers.
Although Emotet once started out as a classic banking Trojan, the threat eventually evolved into a powerful downloader with many modules, and its operators began to actively cooperate with other criminal groups.
Having penetrated the victim’s system, Emotet used the infected machine to send further spam, and also installed various additional malware on the device. They were often bankers such as Trickbot, miners, info-stealers, as well as ransomware like Ryuk.
Let me remind you that in the summer we wrote that Emotet botnet resumed activity after 5 months of downtime.
In its report, Europol calls Emotet “the most dangerous malware in the world” and “one of the most prominent botnets of the last decade”. The elimination of this malware, according to law enforcement officers, will become one of the largest operations of this kind, and will also have a powerful impact on the entire underworld.
“Emotet has been our number one threat for a long time, and its elimination will go a long way. Emotet is involved in 30% of all malware attacks, so its successful elimination will have a large impact on the entire criminal environment, says Fernando Ruiz, head of operations at the European Cybercrime Center. – We have eliminated one of the main droppers in the market, and now there is likely to be a gap that other criminals will try to fill. But for a while [our operation] will have a positive impact on cybersecurity.”
The authorities say that by joining forces, they managed to seize control of the Emotet infrastructure and disrupt its work. As a result, the criminals were no longer able to use the hacked machines, and the malware stopped spreading to new targets.
“Emotet’s infrastructure included several hundred servers located around the world, each with different functionality to manage infected victim computers, spread to new machines, serve other criminal groups, and ultimately make the network more resilient to disconnection attempts”, – Europol experts write.
Although the criminals’ servers were located in many countries around the world, the Dutch police said that two of Emotet’s three main control servers were located in their country.
Apparently, this is where the database of stolen email addresses, usernames and passwords was found. Now everyone can check if they have been hacked through Emotet by simply visiting the website of the Netherlands police.
Also, law enforcement officers said they used their access to the command-and-control servers to deploy a special update to all infected hosts. The code for this update contains a “ticking time bomb”: this mechanism will remove Emotet from all infected machines on March 25, 2021 at 12:00 local time. This data is confirmed by numerous information security companies and experts.
Experts say this “planned outage” will effectively reset Emotet, forcing malware operators to start over and giving IT staff around the world the ability to find and secure infected devices.
By the way, we wrote that Unknown hackers interfere in the work of the Emotet botnet by replacing malware with GIF files.
However, it is not known how many Emotet operators will finally stay free. The fact is that the Cyber Police of Ukraine has already announced the arrest of two people, whose activities caused damage to foreign banks in the amount of more than $2.5 billion. It is reported that now the detainees face up to 12 years in prison.