Although half a decade, malware known as Emotet has threatened the Internet, becoming one of the largest botnets in the world and targeting victims of data theft and disabling ransomware. Now, a comprehensive global police investigation has culminated in the overthrow of Emotet and the arrest of several alleged members of the criminal conspiracy behind it.
Europol today announced that a worldwide coalition of law enforcement agencies in the United States, Canada, the United Kingdom, the Netherlands, Germany, France, Lithuania and Ukraine stopped Emotet, what it called “the world’s most dangerous malware”. The global effort, known as Operation Joaninha, coordinated with private security researchers to disrupt and take over Emotet’s command and control infrastructure – located in more than 90 countries, according to Ukrainian police – while arresting at least two members Ukrainians from the crew of cybercriminal members.
A video of a police raid released by Ukrainian police shows police officers seizing computer equipment, money and rows of gold bars from alleged Emotet operators. Neither the Ukrainian police nor Europol identified the arrested hackers or detailed their alleged role on the Emotet team. A statement from the Ukrainian authorities notes that “other members of an international group of hackers who used the infrastructure of the Emotet botnet to conduct cyber attacks have also been identified. Measures are being taken to stop them”.
“The Emotet infrastructure essentially served as a primary door opener for computer systems on a global scale,” says a statement from Europol about the operation. The international investigation and disruption operation, says the statement, “resulted in this week’s action in which police and judicial authorities gained control of the infrastructure and removed it from within.”
According to Dutch police, Emotet caused hundreds of millions of dollars in total damage, while Ukrainian authorities estimated the number at $ 2.5 billion. The botnet spread mainly through spam containing malicious links and documents infected with corrupted Microsoft Office macros, and became famous for delivering everything from bank Trojans to ransomware to victims’ machines.
Botnet operators had a reputation for being particularly adept at avoiding spam filters, says Martijn Grooten, an independent security researcher and former organizer of the Virus Bulletin conference who has tracked Emotet for years. They used compromised email servers to send their email baits in bulk and spread laterally within an organization’s network to gain a higher position on multiple machines after the victim took the bait. Emotet operators have also partnered with other cyber criminal gangs, selling access to those focused on theft and ransomware. He helped develop other major botnets like Trickbot, which infected more than a million computers before it was partially stopped by a security industry coalition and the US Cyber Command in October. “They were particularly good at getting behind the companies’ defenses,” says Grooten. “You just click on a Word attachment, enable the macros, and find that access to your computer has been sold to a ransomware operator and your company has been redeemed for $ 2 million.”