Notorious Emotet Botnet Disrupted, But Likely Will Be Back

An international effort has led to the dismantling of the Emotet botnet, the world’s most dangerous malware strain and cybercrime-as-a-service operation.

This was a collaborative effort among authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine. It was coordinated by Europol and Eurojust.

Cybersecurity industry experts, however, say those behind Emotet will likely find a way to resurface with a new version.

According to Europol, Emotet botnet malware was delivered to victims’ computers via infected e-mail attachments. Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.

Core Pieces will Live On

Brandon Hoffman is Netenrich‘s CISO. He said the takedown is a “great accomplishment that has been sorely needed.”

NetEnrich’s Brandon Hoffman

“Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever,” he said. “Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods. There is a lot that we know about Emotet and we can apply those learnings for future defense, ideally providing earlier detection/prevention.”

Emotet was much more than just a malware, according to Europol. What made it so dangerous is the malware was offered for hire to other cybercriminals to install other types of malware, such as banking trojans or ransomwares, onto a victim’s computer.

Emotet’s Impact Can’t be Overstated

Stefano De Blasi is threat researcher at Digital Shadows. He said Emotet’s relevance on the cyber threat landscape cannot be overstated.

Digital Shadows’ Stefano De Blasi

“First discovered in 2014, Emotet evolved from a banking trojan to a highly successful initial access vector used by numerous threat actors and cybercriminal groups,” he said. “Emotet operators frequently modified the techniques used by this botnet to obfuscate its activity and increase its distribution. Social engineering attacks such as spear-phishing emails containing malicious attachments have been one of the most successful tactics employed by Emotet.”

This takedown holds the promise of having caused severe disruption to Emotet’s networks and infrastructure, De Blasi said. It also could result in longer down time for Emotet.

However, it’s unlikely Emotet will cease to exist after this operation, he said.

Malicious botnets are exceptionally versatile, De Blasi said. Therefore, it’s likely their operators will sooner or later be able to recover from this blow and rebuild their infrastructure. That’s what TrickBot operators did.

Immediate Impact

Chris Morales is Vectra‘s head of security analytics. He said Emotet was large and far reaching.

Vectra’s Chris Morales

“What is impressive, yet concerning, is how it has persisted for so long,” he said. “That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organizations. There will be an immediate impact. Crime organizations operate based on a cost-and-efficiency model much like any legitimate organization.”

Taking down Emotet is the equivalent of “taking down an AWS or Azure major data center,” Morales said.

“The immediate impact would be felt,” he said. “But eventually organizations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organizations leveraging that infrastructure.”

It appears law enforcement is learning to respond better to international threats, Morales said.