Police Using Emotet's Network to Help VictimsAuthorities Take Steps to Sever Victims From the Botnet
The law enforcement agencies behind this week's disruption - dubbed “Operation Ladybird” - of Emotet are helping victims by pushing out an update via the botnet’s infrastructure that will disconnect their devices from the malicious network.
Europol describes Emotet as “one of the most professional and long-lasting cybercrime services.” Its operators used the botnet to gain entry into organizations worldwide and then sold that access to other cybercrime gangs, who used it for their own nefarious purposes, such as delivering ransomware and banking Trojans, according to Europol and security researchers.
"What makes this takedown interesting is how Europol managed to push out an updated botnet to infected hosts, redirecting them away from the malicious infrastructure,” says Marc Laliberte, senior security analyst at the security firm WatchGuard Technologies. “Instead of only taking down the servers responsible for distributing the malware, international law enforcement also managed to issue a dose of antibiotics to infected victims."
Two Tools Offer Relief
Dutch police, along with law enforcement agencies from the seven other nations that participated in the yearlong operation, have created two tools to help organizations and individuals discover if they have been victimized and then recover.
One tool enables a user to check if their email address and password have been compromised by Emotet. The other software tool, which is being pushed out by Netherlands authorities using the captured botnet's servers, can disconnect infected devices from the botnet.
"A software update is placed on the Dutch central servers for all infected computer systems,” police say. “All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined.”
The FBI notes: "The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet. Instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet.”
Emotet paused its activity for two months last year but then reemerged. And the cybercrime operation potentially could again rebound in the aftermath of the latest disruption, some security experts say.
In October 2020, Microsoft and U.S. federal agencies took down certain Trickbot servers. At the time, Emotet was being used as a dropper for Trickbot.
But Trickbot's operation rebounded within a few weeks (see: Analysis: Will Trickbot Takedown Impact Be Temporary?). Likewise, Emotet reappeared in late December 2020 after a lull (see: Emotet Botnet Returns After 2-Month Hiatus).
"Emotet has historically been resilient and quick to adapt to attempted disruption,” Laliberte of WatchGuard Technologies says. “While international law enforcement should be commended for their temporary disruption, I wouldn't expect this to be the end of Emotet."
Researchers at the security firm Avast note that as long as some of the Emotet administrators remain at large, there’s a good chance the cybercrime operation will return.
"We've seen a high degree of adaptability from this group, which makes the chances they'll try to regroup and rebuild greater than with other groups taken down in the past," Avast says in a report.
Police estimate Emotet has targeted about 1 million victims worldwide, causing hundreds of millions of dollars' worth of damage. Dutch authorities say 600,000 email addresses were found on the seized servers during the investigation. Phishing is the primary distribution method for Emotet.
The FBI has identified 20 U.S.-based providers that hosted about 45 IP addresses that had been compromised by Emotet. The bureau also found providers in 50 other countries with hundreds of IP addresses that were controlled by Emotet's administrators.
Law enforcement agencies from the U.K., the Netherlands, Germany, France, Lithuania, Ukraine, the U.S. and Canada participated in the Emotet disruption, which involved taking over hundreds of servers worldwide.
Ukrainian police conducted physical raids that resulted in several arrests and the seizure of equipment used to manage the botnet.