Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Share this article on:

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world.

The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet.

The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous. Emotet was used to deliver TrickBot and QakBot, which in turn were used to deliver ransomware variants such as Ryuk, Conti, Egregor, and ProLock.

Once a device was infected with the Emotet Trojan it would be added to the botnet and used to infect other devices. Emotet could spread laterally across networks and hijacked email accounts to send copies of itself to contacts. The Emotet gang took phishing to the next level and their campaigns were highly successful. A wide range of lures were used to maximize the chance of the emails being opened and the malware installed. Emotet also hijacked message threads and inserted itself into email conversations to increase the chance of malicious attachments being opened.

The law enforcement operation was planned for around 2 years and was a collaborative effort between authorities in the Netherlands, Germany, France, Lithuania, Canada, Ukraine, the United States, and the United Kingdom, with the operation coordinated by Europol and Eurojust.

The infrastructure used to control the botnet was spread across hundreds of servers, each of which performed different functions and were used to manage infected computers, distribute copies of the Emotet Trojan, exfiltrate data, and provide services to other cybercrime groups. The Emotet gang had also built resiliency into its infrastructure to prevent any takedown attempts.

In order to takedown the infrastructure and prevent any attempts at restoration, the operation was coordinated and saw law enforcement agencies take control of servers simultaneously from the inside. The servers are now under the control of law enforcement and a module that uninstalls the malware is already being distributed. Europol says the malware will be uninstalled from infected devices on March 25, 2021 at 12:00.

In addition to severely disabling the operation, several members of the Emotet gang in Ukraine suspected of running the botnet have been arrested and other arrests are expected to follow.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On