One of the most dangerous cyber threats in the world has been stopped
The Emotet botnet has been dismantled by a global operation of law enforcement and judicial authorities. The network of infected servers has been used to clear the threat itself
How does Emotet work? A joint action by law enforcement and judicial authorities from around the world made it possible to disrupt the Emotet botnet by taking control of its infrastructure.In terms of effectiveness and number of victims, Emotet has been one of the most significant global cyber threats of the last decade, even going so far as to be defined by Sophos cybersecurity experts as “more dangerous than Wannacry”, the ransomware attack that in 2017 hit computers and networks globally. In 2014, Proofpoint identified the author of Emotet as the Threat Actor (Ta) 542 and has since observed hundreds of thousands of emails carrying malware daily.
The Emotet shutdown was the result of an effort joint law enforcement agency of the Netherlands, Germany, United States, United Kingdom, France, Lithuania, Canada and Ukraine, coordinated internationally by Europol and the European Union Agency for Criminal Judicial Cooperation, Eurojust.
RT @LindseyOD123: It's been a week since the #Emotet malware takedown by law enforcement - and no activity has since been detected.
— Ludovic R. (@_PrivacyCanada) February 4, 2021
"I quite literally am able to sleep a little better," says Sherrod DeGrippo (@sherrod_im) with @proofpoint.
… pic.twitter.com/TBwCRYxCCB
The infrastructure that was used by Emotet involved several hundred servers scattered all over the world and all equipped with the necessary functionalities to remotely manage the computers of infected victims, spread the malware to new targets and serve as support for other cybercriminal groups. The presence of so many servers located around the world served to increase the resilience of the botnet against removal attempts.
Precisely for this reason, the authorities and law enforcement agencies involved in the operation collaborated to create a strategy that made it possible to unplug the botnet. To do so they used an innovative and unique approach of its kind by taking control of the botnet from the inside and then redirecting the infected computers of the victims to it, thus stopping the spread of malware.
"Considering that this action seems to have been ported to the botnet backend infrastructure, it could really be the end of it. Furthermore, if the perpetrators behind the botnet (TA542) have been arrested or somehow their activity interrupted, this could also have a significant impact on the potential of future operations, ”said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. .
Finally, as part of the criminal investigation conducted by the Dutch National Police into Emotet, a database containing email addresses, usernames and passwords stolen by cybercriminals was discovered. Users can check if the address has been compromised via the Dutch police site.
