Europol reported last week that a joint venture between them and other law enforcement agencies (from eight nations) allowed them to take control of the Emotet botnet. They did so in an interesting turn of events, where instead of taking over the servers, they redirected infected devices to government-owned servers away from the Emotet servers. The takedown consisted of hundreds of servers across the globe and is a major disruption of the botnet.
Additionally, authorities were able to send out an update to all infected devices to disconnect from the botnet, essentially freeing victims from harm. The update is set to uninstall all infections on March 25, 2021.
Europol said in their report;
“This was a big crime, and this is a big success for law enforcement, especially across borders,” says Alan Woodward, a visiting computer science professor at the University of Surrey and cybersecurity adviser to Europol. “This was a huge blow: It’s a major dent in this malware’s ability to cause more harm.”
In connection with the takedown, Ukrainian law enforcement conducted raids arresting two hackers associated with the Emotet botnet. Other individuals have been identified, and arrests should be made shortly.
The law enforcement agencies involved were from the United Kingdom, the Netherlands, Germany, France, Lithuania, Ukraine, the U.S., and Canada.
The Dutch authorities created a tool where victims can check to see if their email address and password have been compromised.
What is Emotet?
Europol describes Emotet as “one of the most professional and long-lasting cybercrime services.” The Emotet gang set up shop back in 2014 and started the botnet as a banking Trojan virus targeting financial institutions.
After gaining access to worldwide targets, the gang then sold the rights to Emotet to other hackers for even more profit.
The hacker group uses sophisticated methods of social engineering and phishing campaigns to infect new devices adding more processing power to the botnet. The hacker group was last seen in December with their Trickbot malware campaign.
Some experts believe that the win will be short lived, and that the hacker group will bounce back quickly, recreating the botnet easily. Others believe that this was a major blow that will disrupt hacker operations for the long term.
According to a quote from Data Breach Today;
“This latest Europol operation holds the promise of having caused severe disruption to Emotet’s networks and command-and-control infrastructure and given authorities the ability to look deep inside the organization - possibly enabling authorities to keep Emotet down for a long period of time.”
Due to the fact that botnets are versatile, and the hackers have other servers, the chances are that the groups using the Emotet botnet will regroup and continue operations sometime down that road.
A good example is the Trickbot botnet that Microsoft and other agencies disrupted back in October 2020. Within weeks the botnet was back up and running. Unfortunately, these well-funded groups have the resources to begin rebuilding immediately, so even a takedown of this magnitude may not last very long.
The Only Real Solution
Another factor is that most of these hacker groups are spread across the globe, so even if one section is disabled, another can take over quickly and rebuild the disabled infrastructure. The most impactful action is arresting and putting these criminals behind bars where they cannot access computers. That is the only real solution.
Until then, corporations and individuals must learn to employ best practices when it comes to cybersecurity, which includes strong passwords, updated devices, and good antivirus software. Education for staff and management is also key to preventing infections and attacks.