If what Europol and the BKA reported on Wednesday is true, then cybersecurity experts around the world should soon be sleeping a little better. In coordinated communications, the authorities write that they have succeeded in eliminating a key player in international cybercrime: the Emotet bot network.
Emotet has been a major nuisance to cyber defenders and entrepreneurs for years. Initially launched in 2014 as a banking Trojan, Emotet evolved into modular malware in the following years that kept an entire shadow economy of cybercriminals running. The botnet usually infected Windows computers initially via infected Word files that were sent as attachments by e-mail. Then Emotet settled in the victims’ computers and made themselves comfortable. And used the infected computers to infect others, for example from the email contacts of the hijacked machines. According to a study from 2018, each infected computer infected an average of three other machines. The bot network has grown steadily over the years.
The spread of Emotet usually took place in waves. When the botnet was active, cybersecurity firms watched hundreds of thousands of infected emails every day. Then the botnet regularly went silent for several weeks. Experts assume that the operators updated the software during this time and optimized the defective e-mail attachments.
Europol had succeeded in taking over important command servers of the criminals
The Federal Office for Information Security (BSI) called Emotet in 2018 the “king of malware”. BSI boss Arne Schönbohm said on Wednesday that the action by the authorities was “an important blow against international cyber crime”. According to Europol, investigators from the Netherlands, Ukraine, Lithuania, France, England, Canada and the USA were involved in the concerted police action. Together they managed to take over numerous important command servers of the criminals.
These servers were at the heart of the cybercrime network. From there, the criminals regularly modified the malware on all computers that had already been infected so that virus scanners would not detect them. The cyber criminals were also able to download any software onto the infected computer. Emotet thus became the door opener for further malware. Other gangs were able to rent the botnet from the operators in order to infect the victims with ransomware and extort ransom money.
On a website, users can check whether their email addresses are affected
Europol writes that the investigators have now succeeded in taking over the botnet “from within”. The computers contaminated with Emotet would now be redirected to the authorities’ command servers. During their investigation, the Dutch authorities also found a list of email addresses, usernames and passwords. Users can now check on a website whether their email was included. Although the site is in Dutch, interested users only need to enter their email address in the space provided at the bottom of the page. The owner will only receive an email from the Dutch police if this was affected.
Only in a few days will it become clear whether the Emotet network is actually no longer transmitting. IT security experts are still skeptical whether the optimistic predictions of the authorities will come true. “It is still unclear what effects the measures will bring in the long term,” says Sherrod DeGrippo, who is responsible for Emotet at the IT security company Proofpoint. “Law enforcement activities have historically had varying degrees of impact on the technology and operators of these large-scale botnets,” said DeGrippo.
It would not be the first time that investigators are too early to celebrate “a decisive blow” against a large botnet. In October 2020, Microsoft announced that it had decisively disrupted the Trickbot botnet. But just a few days later, the botnet came back up.