For more than half a decade, the malware known as Emotet has menaced the internet, growing into one of the largest botnets in the world and targeting victims with data theft and crippling ransomware. Now a sprawling, global police investigation has culminated in Emotet’s takedown and the arrest of multiple alleged members of the criminal conspiracy behind it.
Europol announced today that a worldwide coalition of law enforcement agencies across the US, Canada, the UK, the Netherlands, Germany, France, Lithuania, and Ukraine had disrupted Emotet, what it called the “most dangerous malware in the world.” The global effort, known as Operation Ladybird, coordinated with private security researchers to disrupt and take over Emotet’s command-and-control infrastructure—located in more than 90 countries, according to Ukrainian police—while simultaneously arresting at least two of the cybercriminal crew’s Ukrainian members.
A video of a raid released by Ukrainian law enforcement shows officers seizing computer equipment, cash, and rows of gold bars from alleged Emotet operators. Neither Ukrainian police nor Europol has named the arrested hackers or detailed their alleged role in the Emotet crew. A statement from Ukrainian authorities notes that “other members of an international hacker group who used the infrastructure of the Emotet bot network to conduct cyberattacks have also been identified. Measures are being taken to detain them.”
“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” reads a Europol statement about the operation. The international investigation and disruption operation, the statement reads, “resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.”
According to the Dutch police, Emotet had caused hundreds of millions of dollars in total damages, while Ukrainian law enforcement put the number at $2.5 billion. The botnet had spread mainly through spam containing malicious links and documents infected with tainted Microsoft Office macros, and had become notorious for delivering everything from banking trojans to ransomware to victims’ machines.
The botnet’s operators had a reputation for being particularly skilled at evading spam filters, says Martijn Grooten, an independent security researcher and former organizer of the Virus Bulletin conference who has tracked Emotet for years. They used compromised mail servers to send their mass email lures, and spread laterally within an organization’s network to gain a larger foothold on multiple machines after a victim took the bait. Emotet’s operators partnered with other cybercriminal gangs, too, selling access to those focused on theft and ransomware. It helped grow other large botnets like Trickbot, which infected over a million computers before it was partially disrupted by a security industry coalition and US Cyber Command in October. “They were particularly good at getting behind companies’ defenses,” says Grooten. “You just click on a Word attachment, enable macros, and it turns out access to your computer was sold to a ransomware operator and your company gets ransomed for $2 million.”
To take down Emotet, police and a large group of security industry professionals worked together to simultaneously hijack hundreds of Emotet command-and-control servers, according to one security researcher in an industry working group focused on tracking and disrupting the botnet, who asked not to be named. To cut the strings of the botnet’s puppeteers, they silently placed their own machines at the IP addresses of those command-and-control computers—many of which had been hacked PCs the Emotet gang used to manage the botnet and send instructions to victim computers.
“We took over every critical C2, top, down, left, right,” the security researcher who participated in the takedown says, using the term C2 to mean command-and-control server. “If a victim machine reaches out to one of my servers or our partners’ servers, they’re going to get a payload that’s inert and prevents further communication with the botnet. Emotet doesn’t work and the infected machine doesn’t do anything anymore.”
Botnet takedown operations in the past have had only mixed success, with cybercriminals often rebuilding quickly after a takedown attempt. Even Cyber Command’s attempt to neuter the Trickbot botnet, for instance, is now widely believed to have resulted in a short-term setback for its operators, who have since developed new versions of their malware and made progress toward rebuilding.
The Emotet operation, by contrast, appears intended to more permanently behead the beast. In their statement about the Emotet takedown, Dutch police note that they discovered and disrupted infrastructure backups, too, which they “hope…will make a possible reconstruction of Emotet seriously difficult.” The security researcher who participated in the takedown confirmed that the operation monitored the hackers’ backup processes to ensure that there were no unknown, hidden recovery techniques, and he believes that all backups were disrupted. “We found their backups and how they use them, and we took all of them,” the researcher said. “It’s going to be very hard for them to recover, and even if they do, we have other tools up our sleeve to combat that.”
The Dutch police nonetheless warn that potential victims should check if their computers were part of the Emotet botnet using an “Emotet Checker” tool they’ve released here. Marcus Hutchins, a security researcher for Kryptos Logic who has tracked Emotet and other botnets for years, warned that anyone whose machines were infected should be careful to clean their systems despite the Emotet takedown; he cautions they could still be hit with secondary malware that Emotet’s partners previously downloaded to their computers, such as TrickBot or QakBot.
If Emotet is permanently destroyed, the takedown may indeed represent a serious blow to ransomware operators worldwide who have caused billions of dollars in damage and even endangered lives inside hospitals targeted by their extortion attempts, says security researcher Martijn Grooten. But the reprieve may nonetheless be short-lived. “A lot of operations will be disturbed in some way, but in the global scheme of things, malware actors can survive without Emotet,” Grooten says. “If you relied on Emotet for initial access, you’ll go through something else to get it, instead.”
More Great WIRED Stories
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- 2034, Part I: Peril in the South China Sea
- My quest to survive quarantine—in heated clothes
- How law enforcement gets around your phone’s encryption
- AI-powered text from this program could fool the government
- The ongoing collapse of the world’s aquifers
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
