Security Experts:

Uninstall Command Completes Emotet Botnet Cleanup Operation

Roughly one million computers are getting rid of the Emotet malware after law enforcement agencies served them an update meant to trigger an uninstall process on April 25.

One of the most prevalent threats of the past half a decade, Emotet first emerged in 2014 as a banking Trojan, but evolved into a malware downloader that was employed by many cybercriminals to distribute various payloads.

Some of the best known malware families distributed through Emotet include TrickBot, Ryuk, and the QakBot banking Trojan, but many others too relied on the massive network of approximately one million infected machines for the delivery of malicious files.

In January 2021, authorities announced that they managed to seize Emotet’s servers and disrupt its infrastructure, thus bringing the botnet’s operations to a halt.

At the same time, the Dutch police started serving an update to the infected machines, to quarantine the infection. Several lines of code were also included in the update to instruct the malware to automatically uninstall itself, on April 25.

Once triggered, the uninstall command cleans up the Windows registry key that enables the Emotet modules to run automatically and stops and deletes associated services, but does not remove other files, nor does it erase additional malware that might have been installed through the botnet.

Emotet’s demise leaves behind a void that other botnets out there are expected to attempt to fill, and security researchers have already observed an increase in the activity associated with the BazarCall and IcedID malware variants.

“While the takedown of Emotet is a big win for all but cybercriminals, efforts made to replace it with malware such as BazarCall and IcedID demonstrate that cybercriminal outfits are increasingly organized, ambitious and professionalized. This will almost certainly remain the same in the future; the problem does not end with Emotet,” digital risk protection company Digital Shadows notes.

Related: Five Months After Takedown Attempt, CISA and FBI Warn of Ongoing TrickBot Attacks

Related: CISA Warns of Emotet Trojan Targeting State, Local Governments

Related: Ransomware Vaccine Intercepts Requests to Erase Shadow Copies

view counter