Emotet Takedown – What’s Next

By   ISBuzz Team
Writer , Information Security Buzz | Jan 28, 2021 04:40 am PST

A global takedown operation has disrupted Emotet, a prolific form of malware active in 2020. Cybersecurity experts commented below on the takedown of Emotet and will it reappear in the future. 

Notify of
8 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Alan Grau
Alan Grau , VP of IoT
January 28, 2021 1:42 pm

<p>The announcement that Europol has disrupted Emotet’s infrastructure is a very welcome development in the enterprise security landscape. For years, businesses have been relentlessly targeted by this malicious variant, initially infecting employees\’ computers through corrupted email attachments before spreading laterally throughout the organizations network. </p> <p> </p> <p>The demise of Emotet will be welcomed in many quarters, but there is no doubt that malicious actors will be developing new variants to fill the vacuum. As such, email security practices, especially in light of remote work, are more important than ever.</p> <p> </p> <p>These attacks are one of the most common and dangerous methods to infiltrate an organisation. The technique has so far caught businesses under-prepared, as protection solutions available are cumbersome and hard to implement at scale. To protect against these ongoing attacks, enterprises must continue to train users on how to avoid phishing attacks. It is also critical to implement strong email security. Zero-touch deployment S/MIME email certificates automatically update the security profile of the email communication by authenticating the sender, encrypting the email content and attachment, and ensuring integrity.</p>

Last edited 2 years ago by Alan Grau
Sherrod DeGrippo
Sherrod DeGrippo , Senior Director, Threat Research and Detection
January 28, 2021 1:36 pm

<p><span lang=\"EN-US\">Emotet has been with us for many years. TA542, the actor behind the botnet, has been tracked by Proofpoint since 2014, when reports of their signature payload, Emotet, emerged.</span> <u></u><u></u></p> <p><span lang=\"EN-US\"><u></u> <u></u></span></p> <p><span lang=\"EN-US\">It has since become known as one of the world’s most disruptive threats. What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans. At this point, any mainstream banking trojan may lead to devastating ransomware attacks. Their campaign volume is typically large, as we usually observe hundreds of thousands of emails per day when Emotet is operating.</span> <u></u><u></u></p> <p><u></u> <u></u></p> <p><span lang=\"EN-US\">At this stage, it’s difficult to tell what this global action will bring. Law enforcement events can have and previously have had a variable impact on disrupting the technology and operators of these large-scale botnets. Considering this appears to be a law enforcement action on the backend infrastructure of the Emotet botnet, this really could be the end. Further to this, if the threat actors behind the botnet (TA542) were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.</span></p>

Last edited 2 years ago by Sherrod DeGrippo
Hugo Van den Toorn
Hugo Van den Toorn , Manager, Offensive Security
January 28, 2021 1:14 pm

<p>Unfortunately, many people wrongfully think law enforcement does very little against hacking. It is great to see that these, often clandestine, operations can have such a tangible effect. From taking down dark web marketplaces such as Hansa Market to disrupting attacker infrastructure. These operations are incomprehensively large, crossing many international borders and jurisdictions. But also requiring pinpoint accuracy in both digital and physical actions by international and local law enforcement teams.  This is a great story from the front-lines on successful international law enforcement.</p>

Last edited 2 years ago by Hugo Van den Toorn
Sam Curry
Sam Curry , Chief Security Officer
January 28, 2021 1:12 pm

<p>Since its discovery more than six years ago, Emotet has been used in cyber espionage and criminal activity to steal data, intellectual property, and untold proprietary information from consumers and businesses totaling hundreds of millions of dollars. As the malware morphed, cybercriminals more recently have been using Emotet to carry out brazen, targeted ransomware attacks on some public and private sector organizations on every continent. Emotet hasn\’t been a run-of-the-mill or garden-variety malware. In fact, it became one of the biggest players on the global, cybercrime stage. Because of its popularity, Emotet even helped other cybercriminal operators behind the development of the Trickbot and Ryuk malware benefit.  </p> <p> </p> <p>Kudos to the efforts of many law enforcement agencies around the world and other public and private sector organizations for working together to take down Emotet\’s infrastructure. This work must continue as taking the fight directly to cybercriminals is the only way for defenders to protect themselves. The battle being waged by defenders daily to root out Emotet and other forms of malware is essential in making cybercrime unprofitable.</p> <p> </p> <p>From a defender’s standpoint, we\’ll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts. We need to arm security analysts with tools to make the connection between disparate indicators of compromise – and more importantly, the more subtle indicators of behavior associated with an attack – so they can quickly detect and respond to malicious operations with surgical precision.</p> <p> </p> <p>That’s the only way to reverse the adversary advantage by detecting earlier and remediating faster; thinking, adapting, and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach.</p>

Last edited 2 years ago by Sam Curry
Chris Morales
Chris Morales , Head of Security Analytics
January 28, 2021 1:08 pm

<p style=\"font-weight: 400;\">Emotet was large and far-reaching. What is impressive/concerning is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organisations. There will be an immediate impact. Crime organisations operate based on a cost and efficiency model much like any legitimate organisation.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these types of organisations that can operate beyond any specific countries borders.</p>

Last edited 2 years ago by Chris Morales

Recent Posts

Would love your thoughts, please comment.x