A global sting operation has taken down critical infrastructure behind the Emotet botnet, which criminals have used to steal and extort millions of dollars. But security experts are divided on whether this will have a long-term effect on the spread of one of the world’s most dangerous security threats.
The take-down of the Emotet malware on Wednesday saw law enforcement agencies seize control of more than 700 Emotet servers around the world. Infected machines are now directed to infrastructure controlled by those agencies, rather than cybercriminals. This means compromised machines can no longer be exploited for nefarious purposes, and the malware itself is unable to spread to new targets.
The action was the culmination of a two-year investigation coordinated by Europol, working with the FBI, the UK’s National Crime Agency (NCA) and authorities from the Netherlands, Germany, France, Lithuania, Canada and Ukraine.
What is Emotet malware and why is it so dangerous?
First discovered as a banking trojan in 2014, Emotet has become the go-to malware as a service option for cybercriminals. Usually delivered by email in the form of an infected word document or other attachment, when installed it acts as a door opener into systems that cybercriminals can use to deliver other types of malware, such as secondary trojans or ransomware.
Criminals will often use spam email to try to convince users to open an infected document and enable Emotet, and the Covid-19 pandemic has sparked a sharp increase in these types of attacks. HP Bromium’s most recent threat insights report says it saw a 1,200% uptick in the number of Emotet spam campaigns it analysed in the third quarter of 2020 when compared with Q2, having isolated “thousands” of Emotet samples.
Emotet has proved an extremely lucrative tool for cybercriminals. Analysis by the NCA of accounts linked to TA542, the cybercriminal group thought to be behind Emotet, showed $10.5m in illicit funds being moved over a two-year period on a single virtual currency platform. NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure
The long-term effects of the Emotet malware take-down
Cybersecurity specialists are confident the action will compromise Emotet’s spread in the short term, even if the long-term implications are less clear. Sherrod DeGrippo, senior director of the threat research and detection team at Proofpoint, says it is too early to assess the full impact of the Europol operation but believes it could mark the end of Emotet.
“Considering this appears to be a law enforcement action on the back-end infrastructure of the Emotet botnet, this really could be the end,” she says. “Further to this, if the threat actors behind the botnet were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.”
TA542 is said to operate in Russia, which was conspicuous by its absence from the list of countries which took part in the operation to take down the botnet. As a result, Peter Mackenzie, incident response manager at Sophos, says some Emotet infrastructure probably remains intact, which would mean we have not seen the last of it.
“I have no doubts that this will have a direct impact on Emotet, we just don’t know to what extent or for how long,” he says. “Given the notable exception of Russia on the list of countries that helped I think it is fair to assume some of the Emotet infrastructure and people behind it will be unaffected by this takedown.”
Trickbot, another banking trojan, was taken down in a similar multi-agency swoop last October, but the threat actors behind the malware were able to bounce back fairly rapidly, Mackenzie says. “It’s difficult to totally derail a malware operation like Trickbot or Emotet if you don’t deal with the primary people developing it,” he adds.
Even if Emotet’s days are numbered, the threat posed by malware loaders is not going away. Last year saw the emergence of a new loader, Buer, which has been growing in popularity and has been used to launch Ryuk ransomware attacks.
International cooperation vital to tackling cybercriminals
The increased coordination between agencies from different countries in the take-down of Emotet, Trickbot and other malware bodes well for the future, according to Chris Morales, head of security analytics at Vectra. Recent months have seen new initiatives such as the World Economic Forum’s Partnership against Cybercrime in recognition of the need for a joined-up approach to tackle criminal gangs operating across jurisdictions.
“The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats,” Morales says. “This is a good start of what I hope to be a long and ongoing collaboration in targeting these type of organisations that can operate beyond any specific country’s borders.”
Peter Klimek, director of technology in the CTO’s office at Imperva, agrees. “The multi-national efforts to disrupt the Emotet botnet is encouraging and should be a framework for how the international security community can band together to stop these malicious actors,” he adds.
Defending against Emotet and other loaders
Following the investigation, Europol has published updated guidance on avoiding falling victim to Emotet and similar malware loaders, and says a combination of up-to-date cybersecurity tools and increased user awareness is required.
“Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs,” it says.
Dutch police uncovered a database of email addresses infected by Emotet as part of the investigation. You can check if your e-mail address has been compromised here.