Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action. 

This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT)

EMOTET has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorized access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.

Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, says, “Emotet was large and far reaching. What is impressive, yet concerning, is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organizations. There will be an immediate impact. Crime organizations operates based on a cost and efficiency model much like any legitimate organization.

"Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually organizations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organizations leveraging that infrastructure. The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these type of organizations that can operate beyond any specific countries borders.”

Emotet's relevance on the cyber threat landscape cannot be overstated, says Stefano De Blasi, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.

"First discovered in 2014, Emotet evolved from a banking trojan to a highly successful initial access vector used by numerous threat actors and cybercriminal groups. Emotet operators frequently modified the techniques used by this botnet to obfuscate its activity and increase its distribution; social engineering attacks such as spear-phishing emails containing malicious attachments have been one of the most successful tactics employed by Emotet. Europol's disruptive operation represents the latest example of law enforcement and judicial authorities taking a proactive stance against international cybercriminal operations. For example, in October 2020, the US  Cyber Command announced that they disrupted the operations behind TrickBot, one of the most notable malicious botnets and ransomware distributors in the world. These operations constitute a great step ahead in the fight against cybercriminal organizations and result in highly valuable disruptions of ongoing malicious activity," De Blasi notes.

He adds, "This latest Europol operation holds the promise of having caused severe disruption to Emotet's networks and command-and-control infrastructure. The "new and unique approach" of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer down time for Emotet. Nonetheless, it is crucial to highlight that despite the infrastructure takeover conducted by law enforcement, it is unlikely that Emotet will cease to exist after this operation. Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure-just like the TrickBot operators did after the aforementioned operation.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, “This is a great accomplishment that has been sorely needed. Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever. Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods. There is a lot that we know about Emotet and we can apply those learnings for future defense, ideally providing earlier detection/prevention.”

“This joint effort between a range of national and supranational law enforcement agencies (LEA) is good to see, as this success helps to strengthen international cooperation and builds strong working relationships among the LEAs. The recent events around SolarWinds and the social engineering attack against security researchers indicate that such collaboration will be needed even more in future. For now, Emotet seems to be taken down as a central command&control server of Emotet in the Ukraine got dismantled as well. Given that Emotet was operating as ‘Malware-as-a-service’ it seems likely that the technology will re-surface in the future. There is way too much money involved for the cyber crooks to simply give up," notes Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software.

"But it is not the time for companies across the globe to sit back and relax. instead use the Emotet pause for re-enforcing the defense, verify whether all core security controls (vulnerability checks, change control and others of the CIS Top5) are in place and orchestrated, as other Malware families are still out there.”