Law enforcement agencies from as many as eight countries dismantled the infrastructure of Emotet, a notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks over the past decade.
The coordinated takedown of the botnet on Tuesday — dubbed "Operation Ladybird" — is the result of a joint effort between authorities in the Netherlands, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine to take control of servers used to run and maintain the malware network.
"The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale," Europol said. "What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomware, onto a victim's computer."
More Than a Malware
Since its first identification in 2014, Emotet has evolved from its initial roots as a credential stealer and banking Trojan to a powerful "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.
Known for being constantly under development, the cybercrime service updates itself regularly to improve stealthiness, persistence, and add new spying capabilities through a wide range of modules, including a Wi-Fi spreader that was recently added to identify and compromise fresh victims connected to nearby Wi-Fi networks.
Last year, the malware was linked to several botnet-driven spam campaigns and even capable of delivering more dangerous payloads such as TrickBot and Ryuk ransomware by renting its botnet of compromised machines to other malware groups.
"The Emotet group managed to take e-mail as an attack vector to a next level," Europol said.
700 Emotet Servers Seized
The U.K.'s National Crime Agency (NCA) said the operation took nearly two years to map the infrastructure of Emotet, with multiple properties in the Ukrainian city of Kharkiv raided to confiscate computer equipment used by the hackers.
"Analysis of accounts used by the group behind Emotet showed $10.5 million being moved over a two-year period on just one Virtual Currency platform," the NCA said, adding "almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure."
Globally, Emotet-linked damages are said to have cost about $2.5 billion, Ukrainian authorities said.
With at least 700 servers operated by Emotet across the world now having been taken down from the inside, machines infected by the malware are set to be directed to this law enforcement-infrastructure, thus preventing further exploitation.
In addition, the Dutch National Police has released a tool to check for potential compromise, based on a dataset containing 600,000 e-mail addresses, usernames, and passwords that were identified during the operation.
Emotet to Be Wiped En Masse on April 25, 2021
The Dutch police, which seized two central servers located in the country, said it has deployed a software update to neutralize the threat posed by Emotet effectively.
"All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined," the agency said. According to a tweet from a security researcher who goes by the Twitter handle milkream, Emotet is expected to be wiped on April 25, 2021, at 12:00 local time from all compromised machines.
Corroborating the findings, Malwarebytes researchers said the payload to remove the malware ("EmotetLoader.dll") will be pushed via the same channels that were used to distribute the original Emotet, with the uninstaller deleting the service associated with the malware and its autorun Registry key.
The April deadline also means that the update doesn't entirely prevent Emotet ("X.dll") from being installed on a system. But with the command-and-control servers now sinkholed and under law enforcement's control, the malware will be stymied in its efforts to download further modules onto the infected host.
"The lengthy delay for the cleanup routine to activate may be explained by the need to give system administrators time for forensics analysis and checking for other infections," Malwarebytes' Threat Intelligence Team said.
Given the nature of the takedown operation, it remains to be seen if Emotet can stage a comeback. If it does, it wouldn't be the first time a botnet survived major disruption efforts.
As of writing, Abuse.ch's Feodo Tracker shows at least 20 Emotet servers are still online.
"A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like Emotet," Europol cautioned.
"Users should carefully check their e-mail and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and e-mails that implore a sense of urgency should be avoided at all costs."