Security Experts:

Connect with us

Hi, what are you looking for?



Law Enforcement Planning Emotet Cleanup Operation Following Botnet Takedown

Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware.

Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware.

One of the most prevalent botnets over the past decade, Emotet has been around since 2014, helping cybercriminals deploy their own Trojans, ransomware, and other types of malware onto compromised machines.

Serving as a malware loader, Emotet has been associated with the distribution of well-known malware families, including TrickBot and Ryuk ransomware, among others.

This week, Europol announced that, as part of an international operation that saw the participation of law enforcement agencies from eight different countries, Emotet’s infrastructure has been dismantled.

Authorities were able to take over the infrastructure, which included hundreds of servers worldwide, used to manage bots, spread Emotet, serve customers, and improve the network’s resilience.

The Ukrainian police announced that two suspected Emotet infrastructure operators have been arrested, while other cybercriminals associated with the botnet’s activities have been identified and are being pursued. Emotet’s operators face up to 12 years in prison.

Codenamed LadyBird, the takedown operation also resulted in the seizure of hardware, credit cards, and cash, along with login credentials, keys to encrypted services, and information related to the infected companies. Authorities also identified 600,000 compromised email addresses, with passwords.

“The police have used their hacking powers to penetrate and investigate Emotet’s cyber-criminal infrastructure. It was necessary to take action simultaneously in all countries concerned in order to be able to effectively dismantle the network and thwart any reconstruction of it,” the Dutch police said.

Authorities in the Netherlands also reveal that the investigation into Emotet, which started in 2019, has helped identify the various servers used for infrastructure, as well as over 1 million infected machines.

With law enforcement having taken control of the infrastructure, an update is being served to all infected machines, from the Dutch central servers.

“All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined,” the Dutch police said.

No specific timeframe for when the cleanup process will begin has been provided, but a security researcher suggested on Twitter that March 25, 2021, might be the day, based on lines of code found in the update that’s being sent to Emotet bots.

Emotet cleanup - Credits @ milkr3am

The researcher also discovered that all of the command and control (C&C) server IP addresses that Emotet now uses are located in Germany.

SecurityWeek has contacted the Bundeskriminalamt (BKA), Germany’s central criminal investigation agency, for confirmation on the actions taken to clean up the Emotet infections, but hasn’t received a reply yet.

Emotet’s operations, which helped many cybercriminals conduct illicit activities, are estimated to have caused hundreds of millions of dollars in losses. According to Ukrainian authorities, such losses may be in excess of $2.5 billion.

UPDATE: BKA has provided SecurityWeek the following statement:

Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected. An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences. For this purpose, the communication parameters of the software have been adjusted in a way that the victim systems no longer communicate with the infrastructure of the offenders but with an infrastructure created for the seizure of evidence.

UPDATE 2: Cybersecurity firm Team Cymru told SecurityWeek that while it was not involved in this aspect of the operation, it believes that the Emotet cleanup will actually start in April, not March. 

“Reports are out showing reverse engineers claim that the replacement binary will uninstall Emotet on March 25. We believe this report contains an error. In many programming languages, the month values start counting at 0, where 0 = January, 1 = February, etc. This maps to April instead of March. The date structure corresponds to 25 April 2021 at noon.”

Related: NetWalker Ransomware’s Sites Seized by Law Enforcement

Related: CISA Warns of Emotet Trojan Targeting State, Local Governments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.