A global operation between law enforcement and judicial authorities worldwide have disrupted one of most significant botnets of the past decade, EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action. This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats, EMPACT.
“The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts,” said Europol in a statement. “To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in an action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint
Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint said, “At this stage, it is difficult to tell what this global action will bring. Law enforcement events can have and previously have had variable impact on disrupting the technology and operators of these large-scale botnets. Considering this appears to be a law enforcement action on the backend infrastructure of the EMOTET botnet, this really could be the end. Further to this, if the threat actors behind the botnet, TA542, were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.”
Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software
Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software said, “EMOTET earned its reputation not just because of its dynamic nature and unique technical features, but also because of the highly-organised criminal business model it developed. Instead of acting alone, the people behind EMOTET chose to collaborate with other organised cybercrime groups like Trickbot and Ryuk Ransomware, and together they became very effective partners in crime.”
Lotem added, “In this vicious coalition, EMOTET, through its broad world-wide infrastructure, was responsible for gaining the first foothold within companies and organisation all around the globe. This large base of infections was then sold to Trickbot, which was responsible for broadening the foothold within targeted networks, dissecting them into industries and companies, and in turn selling those infected networks onto ransomware players as Ryuk. This has been the infrastructure behind the ongoing success of ransomware attacks in recent years.”
Kimberly Goody, Senior Manager of Cybercrime Analysis, Mandiant Threat Intelligence
Kimberly Goody, Senior Manager of Cybercrime Analysis, Mandiant Threat Intelligence said, “Between October 2020 and January 2021, we observed EMOTET distribute multiple malware variants that have been used to enable ransomware operations, so it is plausible that this EMOTET disruption may reduce the immediate victim pool for ransomware deployment in the short term.”
Kimberly added, “Mandiant has observed threat actors rebuild their botnets following other takedown or disruption efforts, although the likelihood of this scenario hinges on the significance of the individuals who have been apprehended. Notably, the actors behind EMOTET have existing partnerships with other notable malware operations, including Trickbot, Qakbot, and Silentnight. In addition to distributing these families as secondary payloads, we have occasionally observed EMOTET being distributed by these families in the past. These existing partnerships and renewed spamming could be leveraged to rebuild the botnet.”