A joint law enforcement operation culminated in the takedown of the infrastructure of Emotet, a sophisticated trojan that has been used by cybercriminals to drop 70% of the world’s malware and ransomware since 2014.
A coordinated effort by law enforcement and judicial authorities in Europe and North America successfully destroyed the infrastructure of Emotet, a malware trojan, and dropper that grabbed the top spot in Webroot’s list of nastiest malware of 2020.
The joint law enforcement operation was coordinated by Europol and Eurojust and involved the participation of the FBI, the U.S. Department of Justice, the UK’s National Crime Agency, the French Police Nationale, Judicial Court of Paris, Germany’s Federal Criminal Police, and the Dutch National Police, among others.
The joint operation resulted in the complete seizure of the Emotet infrastructure consisting of “several hundreds of servers located across the world.†According to the UK’s National Crime Agency which led the financial aspect of the investigation, at least 700 serversOpens a new window were seized in multiple countries, including the United States, Canada, and Europe.
“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure,†Europol saidOpens a new window .
Video clip from the big Emotet malware takedown this week. Notice the gold bars. Video source: National Police of Ukraine pic.twitter.com/obBk3YxvWlOpens a new window
— @mikko (@mikko) January 27, 2021Opens a new window
See Also: Microsoft & Partners Take Down Data-Stealing Malware TrickBot
Originally created as a banking trojan in 2014 to steal financial data, Emotet evolved into a ‘dropper’ and was used by hackers to deploy second-stage ransomware, which were then used to exfiltrate data, encrypt devices, and compromise IT networks. For instance, Emotet was used widely by cybercriminals to infiltrate computer systems and IT networks to make way for second-stage malware such as the TrickBot and QBot ransomware families that were used to target businesses worldwide.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Emotet was primarily disseminated via email-based phishing campaignsOpens a new window that involved hackers luring targeted victims into clicking on fake shipping notifications, PayPal receipts, past-due invoices, etc. Once it entered a system, it demonstrated worm-like capabilities to rapidly spread across a network, which was difficult for organizations to combat.
Once it established itself inside a network, Emotet injected code into explorer.exe to maintain persistence before exfiltrating system data to a C2 server. This led to targeted organizations losing proprietary information permanently and incurring major costs in restoring systems and files. The malware also changed its code every time it was used, making it difficult for organizations to detect its presence based on known signatures.
Even though Emotet has been active since 2014, researchers observed a major uptick in its deployments in 2020, particularly after the Covid-19 pandemic forced businesses to adopt remote work. Emotet botnets were found dropping TrickBot to deliver ransomware payloads and Qakbot Trojans to steal banking credentials and data. In this period, hackers also started hiding Emotet in password-protected .Zip files to bypass email security gateways and target more victims worldwide.
According to the UK’s National Crime Agency, the operators of Emotet made huge sums of money by offering the malware for hire to other cybercriminal groups who used it as a key tool to open the door for other malwares and ransomware. An investigation by the agency revealed that Emotet operators moved $10.5 million via a cryptocurrency platform in a two-year period, while spending $500,000 to maintain the Emotet infrastructure.
“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses. Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.
“This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically. Using our international reach, the NCA will continue to work with partners to identify and apprehend those responsible for propagating Emotet Malware and profiting from its criminality,†said Nigel Leary, Deputy Director of the National Cyber Crime Unit.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!