Following an extensive international operation, law enforcement agencies and judicial authorities managed to severely disrupt one of the most notorious botnets in the world, called Emotet. The cybercriminals behind this group used various types of bait to trick unsuspecting users into opening malicious attachments. What made Emotet so dangerous is that the malware allowed other cybercriminals to access parts of the hacked systems for a fee.
One of the Most Dangerous Types of Malware
Emotet was first discovered as a banking trojan in 2014. The aim of these trojans is to steal people’s banking credentials. Two years later, the malware evolved to a so-called “loader’. This type of malware gains access to a system and then sells access to parts of this system to other cybercriminals. Consequently, they can easily install their own malware, steal passwords, etc.
Further, Emotet authors have also used the malware to create a botnet of infected systems. Botnets are the perfect vehicle for online crimes. One hacker can control a large number of devices, or bots, within the same botnet and use them any way he likes. For example to launch DDoS attacks, spread spam, or sell people’s credentials on the dark web.
Some well-known large criminal groups have received access to devices through Emotet. Concrete examples of this are the Trickbot network and various Ryuk ransomware operators. As such, Emotet has played a key role in the cybercriminal landscape in recent years. The malware is also very difficult to remove, making it extra dangerous.
Malicious Email Attachments
The starting point for an Emotet malware infection is often a phishing email. The cybercriminals behind Emotet have used various types of bait to trick unsuspecting users into opening malicious attachments. For example, in the past year, they have pretended that email attachments contained information about COVID-19. If victims opened the attachments or the link, the Emotet malware was installed.
The criminal organization behind Emotet distributed the malware through an extensive and complex network of hundreds of servers. Some servers were used to keep control of already infected victims and to resell data. Others to create new victims. Some servers were also used to keep police and security companies at bay.
The damage caused by Emotet is valued at least at hundreds of millions of euros globally. According to police research, there are more than 1 million computer systems infected by Emotet worldwide. In addition, investigators found a database with 600,000 email addresses and matching passwords during the operation.
Operation Ladybird Takes Down Emotet
An in-depth criminal investigation, dubbed Operation ladybird, eventually mapped Emotet’s entire infrastructure. Then this week, law enforcement agencies managed to take control of the Emotet network from the inside and deactivate the malware. Since then, infected devices have been redirected towards an infrastructure controlled by law enforcement.
Two of the three main servers turned out to be located in the Netherlands. A software update was placed on the Dutch central servers for all infected computer systems. The investigators also retrieved the cybercriminal’s backup files. With the help of such backups, Emotet operators could have their network up and running again relatively quickly after being brought down. The police hope that their operation will now seriously hinder any reconstruction of Emotet.
Operation Ladybird was a collaborative effort between authorities in the Netherlands, Germany, the United Kingdom, France, Ukraine, the United States, Canada and Lithuania. Yesterday, Ukrainian police officials announced that they arrested two individuals who allegedly kept several Emotet servers operational. They also released a video of the equipment that was seized at the hackers’ place of residence.
The Emotet Checker
Consumers and IT departments can use “the Emotet Checker”, which was published on the Dutch police’s website, to check whether their own devices and networks are infected. A brief explanation in English can be found at the bottom of their page. If a victim’s email address is present in the seized data, the victim will receive an email within minutes. This email includes instructions on what to do next.
In a separate operation, the FBI and Bulgarian law enforcement seized leak sites on the dark web used by NetWalker ransomware operators. They also charged a Canadian national who was allegedly involved in several NetWalker ransomware attacks. Both the takedown of Emotet and NetWalker build on coordinated attempts to stop, or at least seriously disrupt, cybercriminal activities. Just recently, German authorities shut down the largest illegal marketplace on the dark web.