Authorities in several countries, including the United States, Ukraine, UK, and the Netherlands, have taken over the infrastructure used by the Emotet malware operation, disrupting the long-running botnet that has served as a launching pad for other strains of malware and the notorious Ryuk ransomware for several years.
The takedown operation was a coordinated effort among the various law enforcement agencies and included a raid on an apartment in Ukraine. A video of the raid shows a variety of older computer equipment and police counting currency and what appear to be gold bars. Officials did not announce any arrests or names of suspects. The Emotet infrastructure is extensive and spread across several countries, as is the financial network used by the group to receive and move funds, hence the need for the international cadre of agencies.
“Emotet has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” Europol said in a statement.
“Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.”
Unlike some takedowns that simply involve sinkholing servers, the operation against Emotet was more complicated and far-reaching. A dedicated group of security researchers has been tracking Emotet activity on a granular level for several years, identifying the three discrete botnets that are involved in its operations and publicly calling out their spam runs. One of those community based efforts, known as Cryptolaemus, keeps detailed data on Emotet controllers, active URLs, and indicators of compromise. That group worked with researchers at Team Cymru, a private threat intelligence firm that tracks botnets, to identify the active Emotet controllers, and then Team Cymru began contacting network operators to ask them to block access to the list of controllers. This is a sensitive request and operators aren't always inclined to help, for one reason or another. But in this case, the majority of operators the researchers contacted were in.
So while law enforcement agencies in affected countries were seizing the servers that they had jurisdiction over, Team Cymru and other researchers worked with the network operators to block access to the ones law enforcement could not touch. When the takedown happened, the number of Emotet controllers online wentr from about 100 to zero.
"Emotet is a complicated botnet to take over. Its infrastructure is redundant and fault tolerant. It is set up with distinct tiers and has some separation to further increase resiliency. Hacked servers make up most of its infrastructure. These servers are globally distributed. Before Tuesday, January 26, 2021, this model was top notch for criminal infrastructure," said James Shank of Team Cymru in a post on the takedown.
Now the actors are wearing some shiny new handcuffs. The infrastructure is in law enforcement control. Fewer victims are connecting to actor-controlled systems. More people are safe today.
"Now the actors are wearing some shiny new handcuffs. The infrastructure is in law enforcement control."
Emotet’s evolution from a fairly ordinary banking trojan to the go-to loader for other malware and a for-hire platform for ransomware gangs has been one of the more interesting ascents in the cybercrime world in recent years. Emotet began life in 2014 as a simple trojan, stealing banking credentials and money from victims. But as the landscape changed, the Emotet operators adapted, using their malware as a launch point for other attackers and selling access to infected machines to other attackers. The most damaging part of this strategy was the group’s alliance with TrickBot and the Ryuk ransomware, which has wreaked havoc on networks for the last couple of years.
“To severely disrupt the Emotet infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure,” Europol said.
"Botnet takedowns like this are incredibly complex, and require people with deep technical skills to plan and implement them well. It also requires great cooperation between many different private sector cyber security experts across the security industry," said Randy Pargman, senior director of threat hunting and counterintelligence at Binary Defense, which participated in the effort.
“While a unique level of visibility was key in auditing and vetting the tier 1 controllers being targeted for takeover or takedown, the collaboration among ISPs worldwide was truly the critical element. These network operators are the heroes in this story. Because of this collaborative effort, bad actors have been arrested and the Internet is a safer place for the time being,” Team Cymru said in a statement.
The takedown operation also focused on the money trail leading from victims to the Emotet gang and the other malware groups associated with it. “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses,” the UK’s National Crime Agency said.
“Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.”