Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.

“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.

Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.

“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”

According to the agency, the botnet was used to “infiltrate thousands of companies and millions of computers worldwide.”

Ukrainian police published a remarkable YouTube video this afternoon, entirely in Ukrainian and embedded below, showing a raid on an alleged operator’s home. The video pictures dusty PCs and servers, large numbers of hard drives and (at about 1m50s) what looks like miniature gold bars.

Youtube Video

What is Emotet and why is this a big deal?

Emotet is a frustratingly persistent email-delivered malware dropper aimed at Windows machines. Intended targets are bombarded with emails containing Word documents as attachments. Once the mark is fooled into opening the attachment (typical lure themes include information about topical news such as COVID-19 statistics, supplier invoices and bank letters) and running macros embedded within it, the malware is deployed.

Originally Emotet itself was used for stealing online banking credentials, though later evolutions of it focused more on its ability to infect targets’ computers with any given malware.

The malware’s moneymaking potential hinged on that so-called dropper functionality: the criminals behind Emotet could rent it out to other malware or ransomware gangs. A common payload was Trickbot, another banking trojan – which occasionally dropped the Ryuk ransomware.

Basically, Emotet was behind an awful lot of online badness – and if, as Britain’s NCA claimed, 700 of its command-and-control servers have been taken down, that should make a big dent in malware and ransomware infections.

Nigel Leary, deputy director of the NCA’s National Cyber Crime Unit, said in a statement: “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to 70 per cent of the world’s malwares, including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses.

Good news for Emotet’s victims – you can see if you were infected

The Abuse.ch online malware tracker showed very few known Emotet (aka Heodo, as that site calls the malware) nodes remaining online in the wake of the raids.

Europol also said the raids had resulted in innocent victims already infected with Emotet having those infections neutralised through police gaining control of the crims’ C2 infrastructure, explaining: “The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Dutch police published an Emotet email address checker (the page contains an English translation a few paragraphs in) so potential victims can check if they were known to have been infected by the nasty. This service appears to be powered by a seized list of email addresses known to the criminals behind the malware.

Professor Alan Woodward of the University of Surrey told The Register: “Europol were at the centre coordinating and just like the swoop on Encrochat, this was another big blow to criminals using the internet to cause harm.”

Alan Grau, VP of IoT and embedded solutions at Sectigo, said of the takedown: “The demise of Emotet will be welcomed in many quarters, but there is no doubt that malicious actors will be developing new variants to fill the vacuum. As such, email security practices, especially in light of remote work, are more important than ever.

“To protect against these ongoing attacks, enterprises must continue to train users on how to avoid phishing attacks. It is also critical to implement strong email security. Zero-touch deployment S/MIME email certificates automatically update the security profile of the email communication by authenticating the sender, encrypting the email content and attachment, and ensuring integrity.”

Jordan LaRose, managing consultant at F-Secure, told The Reg: “Emotet has been a perennial enemy of businesses and cybersecurity practices alike for years now, and has contributed to some of the worst incidents we’ve ever seen.

“One of the most difficult aspects of incident response, and combating malware at large, is taking action against attackers who are able to act anonymously and largely without penalty due to the diplomatic implications of retaliation against them. This is never more true than with a botnet like Emotet that has infrastructure distributed among countries all over the world.

LaRose added: “While it is likely that other attackers will rise to fill the void left by Emotet, this investigation should serve as a warning to all other malware groups that distributed attack strategies won’t protect them forever.”

Criminal charges and prosecutions will doubtless follow from the raids. ®

READ MORE HERE