Authorities took down the infrastructure of the Emotet botnet, as part of an international effort of law enforcement agencies across Europe and North America coordinated by Europol and Eurojust.
Emotet first appeared on the threat landscape as a banking Trojan in 2014, but over the time the malware evolved into one of the most professional and long lasting cybercrime services that allowed cyber criminal groups to gain access to compromised networks and conduct illicit activities, such as data theft and extortion through ransomware.
The Emotet malware was delivered to victims via emails containing malicious attachments in the form of Word or Excel documents. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.
“The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts,” Europol said in a press release.
In a joint operation, dubbed “Operation Ladybird,” the authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have managed to gain control over the Emotet’s infrastructure and redirect infected computers towards the law enforcement-controlled infrastructure.
The Ukrainian police's Cyberpolice Department also arrested two individuals suspected to have been involved in the botnet's infrastructure maintenance. According to the Ukraininan police, the suspects used the malware to compromise servers of private businesses and government organizations in Europe and the US. As a result of these activities, banks and financial institutions suffered $2.5 billion in losses. The two men are facing 12 years in prison if found guilty.
Additionally, law enforcement has started to distribute an Emotet module to infected devices that will uninstall the malware on March 25th, 2021, at 12:00. It is not clear, why the authorities are waiting two months to uninstall the malware, though.
People can check if their e-mail address has been compromised by Emotet and used to deliver malicious emails here.