In January of 2021, law enforcement and judicial authorities across the globe disrupted one of the most notable botnets of the past decade: Emotet. Investigators have taken control of its infrastructure in an internationally-coordinated operation. For readers who don’t know, Emotet is malware operated by a Russian cybercrime organization first detected in 2014. 

How Did It Work?

The Emotet hackers used a fully automated email delivery process, distributing malware to victims’ computers through infected e-mail attachments, using Phishing attacks as their primary attack method. A variety of effective campaigns were used to trick unsuspecting users into opening these infected attachments. In the recent past, Emotet phishing campaigns presented invoices, shipping notices, and information about COVID-19 to targets with alarming success rates. Each email contained a malicious Word document, either attached to the email itself or downloadable by clicking on a link within the email message. Once a user opened one of these documents, users were prompted to “enable macros” so that malicious code hidden in the Word file could run and install the malware on the victim’s device. 

What made the Emotet malware strain so alarming is the malware was offered for sale to other hackers via the Dark Web. This allowed multiple criminal organizations to put the malware to use across the globe. This type of attack is one of the biggest cybercrime attacks used in the world today. Emotet ransomware grew quickly and rivaled other large ransomware variants including TrickBot and Ryuk

How Did the Authorities Take Down Emotet?

The system used by Emotet involved hundreds of servers located across the globe, all having different functionalities to manage machines of the infected victims, spread the malware, serve other criminal groups, and make the network more resilient against takedown attempts. 

To critically disrupt the Emotet infrastructure, law enforcement agencies from around the world teamed up. The United States, Canada, UK, Ukraine, France, Netherlands, Lithuania, and Germany all participated in the Emotet take-down. The result of their efforts was that law enforcement and judicial authorities now control Emotet’s infrastructure. Now in control of Emotet’s command and control infrastructure, law enforcement is testing issuing a massive uninstall yourself command to the virus (this approach and its results have yet to be confirmed).

What’s Next?

It’s unquestionably good news that these countries banded together to take down this prolific cybercrime operation. The bad news is that cybercrime always has new and upcoming actors; when one operation gets shut down, others inevitably move in to try to fill that hole. Even though the law enforcement agencies have taken control of Emotet’s systems, until the hackers are arrested and convicted, there’s a chance they’ll rebuild their infrastructure and go back to their old ways. 

What Can you Do?

Malware like Emotet is polymorphic in nature, meaning the malware changes its code and strategy often. Since many anti-virus and anti-malware programs scan the computer for known malware patterns, a code change can cause difficulties for its detection, allowing the infection to go undetected. That’s why it’s important to have a strong combination of cybersecurity tools (anti-virus/malware and operating systems), cybersecurity awareness training, and policy governance to avoid falling victim to advanced threats like Emotet. Users should always carefully check their emails to avoid opening messages or attachments from unknown senders. If a message seems too good to be true – it likely is! Oftentimes, the best line of defense is a human firewall, train and govern your staff to stop the threats where they start.

To learn more about Emotet, watch this short 3 minute video: