Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Law Enforcement Planning Emotet Cleanup Operation Following Botnet Takedown

Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware.

Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware.

One of the most prevalent botnets over the past decade, Emotet has been around since 2014, helping cybercriminals deploy their own Trojans, ransomware, and other types of malware onto compromised machines.

Serving as a malware loader, Emotet has been associated with the distribution of well-known malware families, including TrickBot and Ryuk ransomware, among others.

This week, Europol announced that, as part of an international operation that saw the participation of law enforcement agencies from eight different countries, Emotet’s infrastructure has been dismantled.

Authorities were able to take over the infrastructure, which included hundreds of servers worldwide, used to manage bots, spread Emotet, serve customers, and improve the network’s resilience.

The Ukrainian police announced that two suspected Emotet infrastructure operators have been arrested, while other cybercriminals associated with the botnet’s activities have been identified and are being pursued. Emotet’s operators face up to 12 years in prison.

Codenamed LadyBird, the takedown operation also resulted in the seizure of hardware, credit cards, and cash, along with login credentials, keys to encrypted services, and information related to the infected companies. Authorities also identified 600,000 compromised email addresses, with passwords.

“The police have used their hacking powers to penetrate and investigate Emotet’s cyber-criminal infrastructure. It was necessary to take action simultaneously in all countries concerned in order to be able to effectively dismantle the network and thwart any reconstruction of it,” the Dutch police said.

Advertisement. Scroll to continue reading.

Authorities in the Netherlands also reveal that the investigation into Emotet, which started in 2019, has helped identify the various servers used for infrastructure, as well as over 1 million infected machines.

With law enforcement having taken control of the infrastructure, an update is being served to all infected machines, from the Dutch central servers.

“All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined,” the Dutch police said.

No specific timeframe for when the cleanup process will begin has been provided, but a security researcher suggested on Twitter that March 25, 2021, might be the day, based on lines of code found in the update that’s being sent to Emotet bots.

Emotet cleanup - Credits @ milkr3am

The researcher also discovered that all of the command and control (C&C) server IP addresses that Emotet now uses are located in Germany.

SecurityWeek has contacted the Bundeskriminalamt (BKA), Germany’s central criminal investigation agency, for confirmation on the actions taken to clean up the Emotet infections, but hasn’t received a reply yet.

Emotet’s operations, which helped many cybercriminals conduct illicit activities, are estimated to have caused hundreds of millions of dollars in losses. According to Ukrainian authorities, such losses may be in excess of $2.5 billion.

UPDATE: BKA has provided SecurityWeek the following statement:

Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected. An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences. For this purpose, the communication parameters of the software have been adjusted in a way that the victim systems no longer communicate with the infrastructure of the offenders but with an infrastructure created for the seizure of evidence.

UPDATE 2: Cybersecurity firm Team Cymru told SecurityWeek that while it was not involved in this aspect of the operation, it believes that the Emotet cleanup will actually start in April, not March. 

“Reports are out showing reverse engineers claim that the replacement binary will uninstall Emotet on March 25. We believe this report contains an error. In many programming languages, the month values start counting at 0, where 0 = January, 1 = February, etc. This maps to April instead of March. The date structure corresponds to 25 April 2021 at noon.”

Related: NetWalker Ransomware’s Sites Seized by Law Enforcement

Related: CISA Warns of Emotet Trojan Targeting State, Local Governments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.