How a global law enforcement effort took down the Emotet botnet

Taking down a global malware threat and the cybercriminals behind it is a huge challenge. The effort not only requires ingenuity, planning, and stealth but also coordinated action across an array of companies and countries. A report released Wednesday by security firm Digital Shadows looks at how such an effort was orchestrated to put a seeming end to the infamous Emotet malware.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

On Jan. 27, the European Union Agency for Law Enforcement Cooperation (Europol) revealed that a global coalition of law enforcement and judicial authorities across several countries had disrupted Emotet through an endeavor known as “Operation Ladybird.”

By digging into Emotet’s infrastructure, the companies and agencies involved managed to redirect the computers of those victimized by the notorious botnet into one controlled by law enforcement. Europol called the effort a “new and unique way” to disrupt these types of cybercriminal activities.

Those involved in the process took over several of the command-and-control (C2) systems used by the Emotet gang to redirect the malicious traffic, according to Digital Shadows. Known as DNS sinkholing, this action tries to prevent the attackers from communicating with infected devices and is a critical step toward taking down a botnet such as this.

A video spotted by Digital Shadows shows a Ukrainian law enforcement agency raiding Emotet operators. In the video, officers seize computer equipment, gold bars, and foreign currencies.

The next step rests with German law enforcement officers who will deploy an Emotet update on April 25 to remove the malware from all infected devices and prevent further communications. Waiting until the end of April will give agencies more time to investigate additional compromised systems.

After the announcement of Operation Ladybird, Digital Shadows said it checked several underground forums to see how other cybercriminals were reacting to the news. Some commenters actually complained about the lack of details in Europol’s press release. Perhaps they were hoping to glean more insider tips on how to evade law enforcement and avoid Emotet’s fate.

One person said that “the longer you work, the more footprints there are.” The implication here is that though cybercriminals try to cover their tracks, the longer you play this dangerous game, the more likely it is that you’ll eventually get caught.

Of course, Emotet may be down and out for now, but is it truly gone? Malware and malicious operators have a nasty habit of resurfacing even after a devastating blow.

Last October, a group of tech companies banded together to take down the TrickBot botnet in advance of the US presidential election. But today, TrickBot is once again alive and well and responsible for new phishing and malware attacks. As such, one commenter discovered by Digital Shadows said that it remains to be see whether Emotet is really down for the count.

Based on past incidents, the odds are that Emotet will return, perhaps in some new shape or form. But, as Digital Shadows points out, the new and unique approach used in Operation Ladybird did deal a devastating blow to the botnet’s operation. Any type of resurgence will be hard to pull off.

In the meantime, users should not let their guard down. Machines compromised by Emotet can still run other malware variants, including TrickBot and QakBot. And since the Emotet malware won’t be removed from infected systems until the end of April, these machines could still be vulnerable for now.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see