International law enforcement effort takes down Emotet from the inside

Law enforcement authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine have collaborated to disrupt Emotet, one of the most significant botnets of the past decade.

The effort, coordinated by Europol the joint European policing agency, gained control of the Emotet infrastructure and took it down from the inside. Infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.

Spread by infected Word documents, masquerading as invoices or other business documents, Emotet is reckoned to have impacted around one in five organizations worldwide and its activity peaked this year between August and October last with an average of 25,000 different file names spotted each month.

Lotem Finkelstein, head of threat intelligence at Check Point Software, says:

Emotet, which was once a Banking Trojan and became a full-blown botnet was the most successful and prevalent malware of 2020 by a long way. Data from Check Point's ThreatCloud intelligence network shows that Emotet impacted the networks of 19 percent of global organizations over the course of last year.

Emotet earned its reputation not just because of its dynamic nature and unique technical features, but also because of the highly-organized criminal business model it developed. Instead of acting alone, the people behind Emotet chose to collaborate with other organized cybercrime groups like Trickbot and Ryuk Ransomware, and together they became very effective partners in crime.

The botnet was also available for hire to criminals wanting to spread other types of malware. This means the takedown of the network will effectively disrupt the activities of cybercriminals for some time.

Chris Morales, head of security analytics at Vectra says:

Emotet was large and far reaching. What is impressive, yet concerning, is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organizations. There will be an immediate impact. Crime organizations operates based on a cost and efficiency model much like any legitimate organization.

Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually organizations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organizations leveraging that infrastructure.

The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these type of organizations that can operate beyond any specific countries borders.

You can read the official Europol statement on the takedown on the organization's site.

Image credit: ra2studio/depositphotos.com