Law Enforcement Seizes Emotet Botnet - Threatwire
Added 2021-02-02 19:28:43 +0000 UTCWeekly security and privacy news, brought to you by Shannon Morse.
Support ThreatWire! https://www.patreon.com/threatwire
Law enforcement agencies in the US and Europe have taken over control of the infrastructure used by Emotet botnet attackers. The Emotet botnet has been used to steal millions in extortion attacks alongside stealing data. Attackers have used Emotet for years to distribute phishing campaigns alongside Ryuk ransomware and banking trojans. According to law enforcement, 100,000 to half a million Emotet phishing emails are sent per day so it’s been called the world's most dangerous malware. It took the operation two years to map out the infrastructure of machines and servers used within Emotet, which in turn helped agencies take control of 700 servers across multiple countries.
Machines that were infected have now been redirected towards law enforcement controlled infrastructure according to Europol.
The take down will help eliminate the botnet from more than one million active machines worldwide. Since law enforcement now have control over much of the Emotet infrastructure, they plan to push an Emotet update to infected machines which will remove the malware from them in an effort that will span the next several months. This update will automatically uninstall the malware on April 25.
The FBI worked alongside Europol to take down Emotet, and Ukrainian police released a video in connection to the botnet, showing confiscation of a bunch of hard drives from an apartment. It’s currently unknown how many people have been arrested or charged in relation to the takedown but reports are showing that two persons of interest have been taken into custody. Dutch national police mentioned in a statement that two primary servers were located in the Netherlands. German law enforcement seized 17 servers used as controllers in Germany. Several hundred servers were located all around the world and were used by attackers to manage the infected victims, spread to new machines, and keep their network resilient from take down attempts. Europol called this take down a new and unique approach, but even with that said, it’s hard to say how long Emotet will stay inoperable, since it’s possible that attackers could have backed up their data so they can resume operations after a sting.
Since Emotet was used to install other malware, it was also sold to crime groups for operation. This means if a group had already purchased access to an infected computer to install something like ransomware, then even if Emotet was uninstalled, that machine could still be at risk.
Dutch National Police released a tool that you can use to see if your email address shows up anywhere in a database of 600,000 compromised accounts that were found during this operation.
This investigation is currently ongoing. Since Emotet mostly spreads through email phishing, law enforcement also recommends being skeptical of any messages that seem too good to be true, and avoiding opening emails or attachments from unknown senders.
Emotet:
https://www.cyberscoop.com/emotet-europol-us-ukraine-takedown-botnet/
https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/
https://www.youtube.com/watch?v=_BLOmClsSpc
https://www.politie.nl/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html#english
https://thehackernews.com/2021/01/european-authorities-disrupt-emotet.html
