Cyber SecurityMalware

International Law Enforcement Operation disrupts Emotet botnet


Law enforcement agencies from eight countries destroyed the infrastructure of Emotet, an infamous email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks over the past decade.

The operation to takedown the botnet was dubbed “Operation Ladybird” and is the result of a joint operation between authorities in the Netherlands, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine to take control of servers used to run and control the malware network.

Europol stated that the Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Emotet is considered very dangerous as it was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomware, onto a victim’s computer.

The Emotet malware was first identified in 2014, and it has evolved from its initial roots as a credential stealer and banking Trojan to a powerful “Swiss Army knife” that can serve as a downloader, information stealer, and spambot depending on how it is deployed.

The malware is constantly under development and the cybercrime service updates itself regularly to improve stealthiness, persistence, and add new spying capabilities through numerous modules, including a Wi-Fi spreader to identify and compromise fresh victims connected to nearby Wi-Fi networks.

The malware is also capable of delivering more dangerous payloads such as TrickBot and Ryuk ransomware by renting its botnet of compromised machines to other malware groups.

700 Emotet Servers Seized

According to the U.K.’s National Crime Agency (NCA), the operation took almost two years to map the infrastructure of Emotet, with multiple properties in the Ukrainian city of Kharkiv raided to confiscate computer equipment used by the hackers.

The Ukrainian Cyberpolice Department also arrested two individuals allegedly involved in the botnet’s infrastructure maintenance.

The NCA stated that on analysis of accounts used by the group behind Emotet, $10.5 million was moved over a two-year period on just one Virtual Currency platform. Almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.

Globally, Emotet-linked damages are said to have cost about $2.5 billion.

At least 700 servers were operated by Emotet across the world which has been taken down now from the inside. So, the machines infected by the malware are now directed to this law enforcement-infrastructure, thus preventing further exploitation.

Besides, the Dutch National Police also released a tool to check for potential compromise, based on a dataset containing 600,000 e-mail addresses, usernames, and passwords that were identified during the operation.

Emotet to be deleted on March 25, 2021

The Dutch police, which seized two central servers located in the country has deployed a software update to neutralize the threat posed by Emotet effectively.

The agency stated that all the infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined.

According to a tweet from a security researcher with the Twitter handle milkream, Emotet is expected to be wiped on March 25, 2021, from all compromised machines.

Europol mentioned that a combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is necessary to avoid being victim to sophisticated botnets like Emotet.

They also advise that the users must check their e-mail and avoid opening messages and attachments from unknown senders.

Image Credits : BankInfoSecurity

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    N. Korean hackers target security researchers via social media

    Previous article

    NetWalker ransomware’s websites seized by Law Enforcement

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *