The enormous Emotet botnet has been taken offline following an international policing effort involving multiple countries. Emotet has been one of the world’s most prolific distributors of malware and spam over the past few years, and its takedown is a significant blow to malware, ransomware, and spam distributors worldwide.
The Emotet Botnet Is Down
On 27 January 2021, Europol sent a tweet announcing that the Emotet botnet was down.
The culmination of a massive worldwide policing effort involving authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine saw investigators take control of the botnet.
Investigators and security researchers took control of Emotet command and control infrastructure in more than 90 countries dotted worldwide, with at least two physical arrests in Ukraine. The Ukrainian authorities also released a video showing officers seizing computer hardware, cash, and rows of gold bars.
The official Europol statement reads:
The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.
Taking down Emotet involved disrupting hundreds of servers, many of which have different capabilities. In the case of a massive botnet like Emotet, the only way to disrupt and destroy the network is to take down as much as possible simultaneously, as well as making physical arrests on those running the criminal enterprise.
Many botnets like EMOTET are polymorphic in nature. This means that the malware changes its code each time it is called up. Since many antivirus programmes scan the computer for known malware codes, a code change may cause difficulties for its detection, allowing the infection to go initially undetected.
Is the Emotet Botnet Gone For Good?
During previous botnet takedowns, the coordinated efforts have struck a significant blow but not quite killed the beast.
For example, when authorities and security researchers took down the Trickbot botnet, the botnet owners were able to rebuild. Not only that, but they were able to learn from the flaws that made the botnet vulnerable to the first takedown, strengthening the second version.
In the case of Emotet, authorities are confident that enough command-and-control infrastructure has been seized that recreating the botnet would be very difficult—though not impossible.
There’s another threat, too. Although Emotet is offline, threats propagated through the network remain active.
It’s important that organizations perform cleanup as soon as possible. Whilst Emotet itself is inoperable, other threats it has previously loaded such as TrickBot and QakBot remain active. These infections often lead to ransomware such as Ryuk and Egregor.
— MalwareTech (@MalwareTechBlog) January 27, 2021
Security researcher Marcus Hutchins advises organizations and individuals to “perform cleanup as soon as possible” as the threat from other malware types, such as the Ryuk and Egregor ransomwares, remains active.
With the Emotet takedown, Europol and its partners have knocked a significant global security threat offline.