If I never hear the name “Emotet” again, I’d be a pretty happy guy. But it’s worth bringing up this bad boy one more time to announce its demise — or at least the beginning of its end.
On January 27, Europol announced that law enforcement agencies from eight countries seized control of the Emotet botnet in a coordinated effort, putting a stop to more than six years of torment from one of the world’s most dangerous forms of malware.
Although the culprit has been metaphorically locked up, the final blow won’t be delivered until April 25, when an update pushed out to all infected servers will wipe them clean of Emotet once and for all. How did law enforcement finally shut down this banking-Trojan-turned-beast? Why are they waiting until April to wipe it out? What are the ethical pitfalls of pushing code — even “good” code — onto these infected networks?
Law enforcement bests Emotet in TKO
The notorious Emotet botnet, which first appeared as a banking Trojan in 2014, is known for its consistent ability to shapeshift, which allowed it to avoid detection and drop other vicious malware in its wake. Over the more recent years, it wreaked havoc on organizations with other partners, including the equally dangerous TrickBot and Ryuk ransomware.
On January 27, Emotet met its match when agencies from the United States, United Kingdom, Germany, the Netherlands, and more gained control of its infrastructure and took it down from the inside. In a statement announcing the action, Europol described Emotet’s infrastructure as involving several hundred servers across the world, all of which had different functionalities: to manage computers of the infected victims, to spread to new ones, to serve other criminal groups, and to make the network more resilient against takedown attempts.
The global effort to bring down Emotet’s complex web of servers and controllers, dubbed Operation Ladybird, should not be underestimated. Law enforcement coordinated with security researchers from the private sector to take over Emotet’s C&C infrastructure — located in more than 90 countries — while simultaneously arresting at least two of the cybercriminal crew members behind it.
“Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet,” said Jérôme Segura, Director of Threat Intelligence for Malwarebytes. “This is a very impactful action that likely will result in the prolonged success of this global takedown.”
In its press release, Europol described the approach to Emotet’s take-down as “unique and new.” While details of how Operation Ladybird were able to disrupt the Emotet botnet are still emerging, we do know that infected machines have been redirected toward the law enforcement-controlled infrastructure. This effectively removes the threat posed by Emotet by preventing it from contacting the infrastructure it uses to receive updates and deliver malware.
Shortly after the Emotet infrastructure was seized, Dutch authorities deployed an update: a special cleanup payload with code to remove the malware from infected computers on April 25. Why so far away? The lengthy delay gives system administrators time for forensic analysis and to check for other infections that Emotet may have left behind. After Emotet uninstalls itself on April 25, these investigations will be harder to carry out.
But pushing code via botnet, even with the best of intentions, has always been a thorny topic. In this case, law enforcement took control of one of the most significant botnets of the decade — but instead of dismantling it, they pushed an update that will likely impact many thousands of organizations and endpoints — without consent. The end result is positive, of course. But what about the ramifications? The DOJ actually distanced itself from the update, stating in its affidavit that “foreign law enforcement agents, not FBI agents, replaced the Emotet malware, which is stored on a server located overseas, with the file created by law enforcement.”
What are your thoughts about the downfall of Emotet? Do you think this is the last we’ll hear of it? Do you believe it was a good idea to deploy the Emotet update, even without consent?
To read the Department of Justice’s official release on the operation that took down Emotet: https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation