For more than half a decade, the malware known as Emotet has threatened the internet, becoming one of the biggest botnets worldwide and targeting victims with data theft and crippling ransomware. Now, a sprawling global police investigation has resulted in Emotet’s removal and the arrest of several suspected members of the criminal conspiracy behind it.
Europol today announced that a global coalition of police agencies in the US, Canada, UK, Netherlands, Germany, France, Lithuania and Ukraine has disrupted Emotet, this which she called “the most dangerous malware in the world”. The global effort, known as Operation Ladybird, coordinated with private security researchers to disrupt and take control of Emotet’s command and control infrastructure – located in more than 90 countries, police say Ukrainian – while simultaneously arresting at least two of the Ukrainian cybercrime team members.
Video of a raid released by Ukrainian law enforcement shows agents seizing computer equipment, money and rows of gold bars from suspected Emotet operators. Neither Ukrainian police nor Europol named the arrested hackers or detailed their alleged role in the Emotet team. A statement from the Ukrainian authorities notes that “other members of an international hacker group who have used the infrastructure of the Emotet robot network to carry out cyber attacks have also been identified. Measures are being taken to detain them.”
“The Emotet infrastructure has essentially acted as a primary door opener for IT systems on a global scale,” reads a Europol statement about the operation. The international investigation and disruption operation, the statement said, “culminated in this week’s action in which law enforcement and judicial authorities took control of the infrastructure and dismantled it from within.” .
Dutch police said Emotet caused hundreds of millions of dollars in total damage, while Ukrainian law enforcement estimated the figure at $ 2.5 billion. The botnet had spread primarily through spam emails containing malicious links and documents infected with contaminated Microsoft Office macros, and had become known to deliver everything from banking Trojans to ransomware to victims’ machines.
Botnet operators had a reputation for being particularly good at avoiding spam filters, says Martijn Grooten, independent security researcher and former organizer of the Virus Bulletin conference that has been following Emotet for years. They used compromised mail servers to send their email decoys en masse, and spread laterally through an organization’s network to take up more space on multiple machines after a victim took the bait. Emotet operators have also teamed up with other cybercriminal gangs, selling access to those focused on theft and ransomware. He helped develop other large botnets like Trickbot, which infected over a million computers before it was partially disrupted by a coalition of the security industry and the US Cyber Command in October. “They were particularly good at supporting corporate defenses,” says Grooten. “All you need to do is click on a Word attachment, activate the macros, and it turns out that access to your computer has been sold to a ransomware operator and your business is ransomed for $ 2 million.”