Police take down Emotet and help possible victims with new tactics

Christopher Budd 27 Jan 2021

Taking the Emotet botnet away from cybercriminals and into the hands of law enforcement

Today, law enforcement agencies from around the world successfully wrested control of the Emotet botnet away from its operators. They also took new unprecedented steps to help possible Emotet victims. These steps hopefully bring to a close the story of one of the most adaptable and prolific attack groups out there.

In one of the largest and most effective global takedown operations yet, police agencies from Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States, coordinated by Europol and Eurojust, took control of Emotet’s servers. This put them in control of the botnet also giving them the data the Emotet group has compiled on their victims.

Further reading:
How Emotet returned to the scene

To help those who have been affected by Emotet, law enforcement is using their newly-gained control of the Emotet infrastructure and data to its fullest.

First, the Dutch police say (via Google Translate), ”A software update is placed on the Dutch central servers for all infected computer systems. All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined”. This will hopefully eliminate any malware that the Emotet group has on infected computers.

Second, the Dutch police have a sign-up page where you can enter your email address and the Dutch police will notify you if your email is present in the data that has been seized. This information can help you know if you are or have been infected by the Emotet group.

Both of these are new steps to help botnet victims and help make it easier for people to recover from infection and know if they’re victims.

A bit about Emotet's history

Emotet has become one of the best-known botnets due to its longevity and adaptability. Emotet started as a banking Trojan in 2014 under the control of a group known as TA542, Mealybug and MUMMY SPIDER.

Over time, the group changed malware and tactics and also came to be best known by the name of their first malware: Emotet. One of the things that has made the Emotet group so notable is how they professionalized their illegal business.

By 2017, the Emotet group shifted from stealing bulk data themselves to selling their services to others, a step in the direction of professionalization that brings to mind Bill Gates’ observation about the internet gold rush when he said “people who are selling pans to the prospectors often will do better than the prospectors themselves”.

In 2018, the Emotet group expanded their capacity to deliver spam significantly. In September, they were delivering over half a million spam messages in a single day. By October, they more than doubled that capacity to deliver over a million spam messages in a day.

The Emotet group also showed their professionalism through their adaptability. Not only did they change their business model, but they would also change their payloads, delivery methods and most importantly, their lures. For instance, in 2020, the Emotet group was aggressive in their use of Covid-19 lures to exploit global fears around the pandemic.

Today's events take the botnet that the Emotet group built up and put it in the hands of law enforcement. As we’ve seen, law enforcement is already using their control to help victims. This likely means that the Emotet botnet as we know it is gone.

However, one thing that is notable in today’s actions is what information is about charges or arrests. As of now, there is no significant mention of either, indicating that the law enforcement action has likely yielded results so far only on the attackers’ tools, not the attackers themselves. This may mean that the Emotet group could try to regroup and rebuild. Even without their botnet at their disposal, they may well have other copies of their data, which they could use to try and start building a new botnet. We’ve seen a high degree of adaptability from this group, which makes the chances they’ll try to regroup and rebuild greater than with other groups taken down in the past.

For now, though, the most important thing everyone can do is to see if your information is in the Emotet groups’ data by going to the Dutch police's website and using security protection products (like Avast’s antivirus tools) that can protect against Emotet and be best placed to help protect against any attempts by the Emotet group to return.

--> -->