A global takedown operation has disrupted Emotet, a prolific form of malware active in 2020. Cybersecurity experts commented below on the takedown of Emotet and will it reappear in the future.
<p>The announcement that Europol has disrupted Emotet’s infrastructure is a very welcome development in the enterprise security landscape. For years, businesses have been relentlessly targeted by this malicious variant, initially infecting employees\’ computers through corrupted email attachments before spreading laterally throughout the organizations network. </p> <p> </p> <p>The demise of Emotet will be welcomed in many quarters, but there is no doubt that malicious actors will be developing new variants to fill the vacuum. As such, email security practices, especially in light of remote work, are more important than ever.</p> <p> </p> <p>These attacks are one of the most common and dangerous methods to infiltrate an organisation. The technique has so far caught businesses under-prepared, as protection solutions available are cumbersome and hard to implement at scale. To protect against these ongoing attacks, enterprises must continue to train users on how to avoid phishing attacks. It is also critical to implement strong email security. Zero-touch deployment S/MIME email certificates automatically update the security profile of the email communication by authenticating the sender, encrypting the email content and attachment, and ensuring integrity.</p>
<p><span lang=\"EN-US\">Emotet has been with us for many years. TA542, the actor behind the botnet, has been tracked by Proofpoint since 2014, when reports of their signature payload, Emotet, emerged.</span> <u></u><u></u></p> <p><span lang=\"EN-US\"><u></u> <u></u></span></p> <p><span lang=\"EN-US\">It has since become known as one of the world’s most disruptive threats. What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans. At this point, any mainstream banking trojan may lead to devastating ransomware attacks. Their campaign volume is typically large, as we usually observe hundreds of thousands of emails per day when Emotet is operating.</span> <u></u><u></u></p> <p><u></u> <u></u></p> <p><span lang=\"EN-US\">At this stage, it’s difficult to tell what this global action will bring. Law enforcement events can have and previously have had a variable impact on disrupting the technology and operators of these large-scale botnets. Considering this appears to be a law enforcement action on the backend infrastructure of the Emotet botnet, this really could be the end. Further to this, if the threat actors behind the botnet (TA542) were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.</span></p>
<p>Unfortunately, many people wrongfully think law enforcement does very little against hacking. It is great to see that these, often clandestine, operations can have such a tangible effect. From taking down dark web marketplaces such as Hansa Market to disrupting attacker infrastructure. These operations are incomprehensively large, crossing many international borders and jurisdictions. But also requiring pinpoint accuracy in both digital and physical actions by international and local law enforcement teams. This is a great story from the front-lines on successful international law enforcement.</p>
<p>Since its discovery more than six years ago, Emotet has been used in cyber espionage and criminal activity to steal data, intellectual property, and untold proprietary information from consumers and businesses totaling hundreds of millions of dollars. As the malware morphed, cybercriminals more recently have been using Emotet to carry out brazen, targeted ransomware attacks on some public and private sector organizations on every continent. Emotet hasn\’t been a run-of-the-mill or garden-variety malware. In fact, it became one of the biggest players on the global, cybercrime stage. Because of its popularity, Emotet even helped other cybercriminal operators behind the development of the Trickbot and Ryuk malware benefit. </p> <p> </p> <p>Kudos to the efforts of many law enforcement agencies around the world and other public and private sector organizations for working together to take down Emotet\’s infrastructure. This work must continue as taking the fight directly to cybercriminals is the only way for defenders to protect themselves. The battle being waged by defenders daily to root out Emotet and other forms of malware is essential in making cybercrime unprofitable.</p> <p> </p> <p>From a defender’s standpoint, we\’ll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts. We need to arm security analysts with tools to make the connection between disparate indicators of compromise – and more importantly, the more subtle indicators of behavior associated with an attack – so they can quickly detect and respond to malicious operations with surgical precision.</p> <p> </p> <p>That’s the only way to reverse the adversary advantage by detecting earlier and remediating faster; thinking, adapting, and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach.</p>
<p style=\"font-weight: 400;\">Emotet was large and far-reaching. What is impressive/concerning is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organisations. There will be an immediate impact. Crime organisations operate based on a cost and efficiency model much like any legitimate organisation.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these types of organisations that can operate beyond any specific countries borders.</p>
<p style=\"font-weight: 400;\">It is hard to overstate the significance of the achievement announced by Europol today in bringing the EMOTET botnet offline. It will have an immediate effect from a cybersecurity perspective, with EMOTET consistently ranking as one of the most persistent threats facing individuals and organizations. EMOTET was used as a springboard for a number of cybercriminal groups and attack techniques. The dismantling of its infrastructure will effectively kill a number of malicious operations, at least for the short term.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">However, even more significant than the immediate benefits is the precedent this sets for international collaboration in fighting back against widespread criminal organisations. For years, cybercriminals have exploited the complexity of enforcing cybersecurity law across borders. This announcement today signifies major progress in closing those gaps and holding cybercriminals to account. It is an achievement for all of the countries involved in this collaborative effort and establishes a process whereby international cybercrime can be thwarted.</p>
<p>Emotet has consistently remained one of the most widely distributed malware families in recent years. While it was historically associated with banking fraud, since 2017 the malware has been leveraged to distribute spam and secondary malware payloads, which we believe was on behalf of a limited set of customers. Between October 2020 and January 2021, we observed Emotet distribute multiple malware variants that have been used to enable ransomware operations, so it is plausible that this Emotet disruption may reduce the immediate victim pool for ransomware deployment in the short term. Mandiant has observed threat actors rebuild their botnets following other takedown or disruption efforts, although the likelihood of this scenario hinges on the significance of the individuals who have been apprehended. Notably, the actors behind Emotet have existing partnerships with other notable malware operations, including Trickbot, Qakbot, and Silentnight. In addition to distributing these families as secondary payloads, we have occasionally observed Emotet being distributed by these families in the past. These existing partnerships and renewed spamming could be leveraged to rebuild the botnet.</p>
<p>Botnets have been one of the most common malware deployment methods over the past decade, and Emotet, in particular, has been instrumental in spreading ransomware as a secondary payload, so we welcome the action taken by law enforcement agencies to knock it offline.<u></u><u></u></p> <p><u></u> <u></u></p> <p>However, given the distributed nature of Emotet and the legal impunity that its masters have operated with for years, it is doubtful that this operation will end it entirely. However, it will make this huge criminal enterprise more complicated and expensive to run and help strengthen the cross-border co-operation desperately needed in the fight against cybercrime.<u></u><u></u></p> <p><u></u> <u></u></p> <p>The evolution and volume of attack types emitting from botnets have been significant over recent years, and it\’s likely we\’ll continue to see others emerge in the future due to the scale of infection they can achieve and the financial rewards gained from them. The UK\’s National Crime Agency reported seeing over $10.5M moved by the group behind Emotet over a two-year period on just one Virtual Currency platform. Investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure, highlighting the size and scale of the operation.<u></u><u></u></p> <p><u></u> <u></u></p> <p>To protect against future botnet threats, organisations should ensure they have strong, reputable cybersecurity software in place that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple types of attacks at different stages of the attack cycle. They should also run regular security awareness and phishing simulations to ensure end-users know how to spot suspicious messages and threats.</p>
8 Responses
<p>The announcement that Europol has disrupted Emotet’s infrastructure is a very welcome development in the enterprise security landscape. For years, businesses have been relentlessly targeted by this malicious variant, initially infecting employees\’ computers through corrupted email attachments before spreading laterally throughout the organizations network. </p> <p> </p> <p>The demise of Emotet will be welcomed in many quarters, but there is no doubt that malicious actors will be developing new variants to fill the vacuum. As such, email security practices, especially in light of remote work, are more important than ever.</p> <p> </p> <p>These attacks are one of the most common and dangerous methods to infiltrate an organisation. The technique has so far caught businesses under-prepared, as protection solutions available are cumbersome and hard to implement at scale. To protect against these ongoing attacks, enterprises must continue to train users on how to avoid phishing attacks. It is also critical to implement strong email security. Zero-touch deployment S/MIME email certificates automatically update the security profile of the email communication by authenticating the sender, encrypting the email content and attachment, and ensuring integrity.</p>
<p><span lang=\"EN-US\">Emotet has been with us for many years. TA542, the actor behind the botnet, has been tracked by Proofpoint since 2014, when reports of their signature payload, Emotet, emerged.</span> <u></u><u></u></p> <p><span lang=\"EN-US\"><u></u> <u></u></span></p> <p><span lang=\"EN-US\">It has since become known as one of the world’s most disruptive threats. What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans. At this point, any mainstream banking trojan may lead to devastating ransomware attacks. Their campaign volume is typically large, as we usually observe hundreds of thousands of emails per day when Emotet is operating.</span> <u></u><u></u></p> <p><u></u> <u></u></p> <p><span lang=\"EN-US\">At this stage, it’s difficult to tell what this global action will bring. Law enforcement events can have and previously have had a variable impact on disrupting the technology and operators of these large-scale botnets. Considering this appears to be a law enforcement action on the backend infrastructure of the Emotet botnet, this really could be the end. Further to this, if the threat actors behind the botnet (TA542) were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.</span></p>
<p>Unfortunately, many people wrongfully think law enforcement does very little against hacking. It is great to see that these, often clandestine, operations can have such a tangible effect. From taking down dark web marketplaces such as Hansa Market to disrupting attacker infrastructure. These operations are incomprehensively large, crossing many international borders and jurisdictions. But also requiring pinpoint accuracy in both digital and physical actions by international and local law enforcement teams. This is a great story from the front-lines on successful international law enforcement.</p>
<p>Since its discovery more than six years ago, Emotet has been used in cyber espionage and criminal activity to steal data, intellectual property, and untold proprietary information from consumers and businesses totaling hundreds of millions of dollars. As the malware morphed, cybercriminals more recently have been using Emotet to carry out brazen, targeted ransomware attacks on some public and private sector organizations on every continent. Emotet hasn\’t been a run-of-the-mill or garden-variety malware. In fact, it became one of the biggest players on the global, cybercrime stage. Because of its popularity, Emotet even helped other cybercriminal operators behind the development of the Trickbot and Ryuk malware benefit. </p> <p> </p> <p>Kudos to the efforts of many law enforcement agencies around the world and other public and private sector organizations for working together to take down Emotet\’s infrastructure. This work must continue as taking the fight directly to cybercriminals is the only way for defenders to protect themselves. The battle being waged by defenders daily to root out Emotet and other forms of malware is essential in making cybercrime unprofitable.</p> <p> </p> <p>From a defender’s standpoint, we\’ll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts. We need to arm security analysts with tools to make the connection between disparate indicators of compromise – and more importantly, the more subtle indicators of behavior associated with an attack – so they can quickly detect and respond to malicious operations with surgical precision.</p> <p> </p> <p>That’s the only way to reverse the adversary advantage by detecting earlier and remediating faster; thinking, adapting, and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach.</p>
<p style=\"font-weight: 400;\">Emotet was large and far-reaching. What is impressive/concerning is how it has persisted for so long. That stability and length of time is what has made Emotet so lucrative and widely adopted by other criminal organisations. There will be an immediate impact. Crime organisations operate based on a cost and efficiency model much like any legitimate organisation.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these types of organisations that can operate beyond any specific countries borders.</p>
<p style=\"font-weight: 400;\">It is hard to overstate the significance of the achievement announced by Europol today in bringing the EMOTET botnet offline. It will have an immediate effect from a cybersecurity perspective, with EMOTET consistently ranking as one of the most persistent threats facing individuals and organizations. EMOTET was used as a springboard for a number of cybercriminal groups and attack techniques. The dismantling of its infrastructure will effectively kill a number of malicious operations, at least for the short term.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">However, even more significant than the immediate benefits is the precedent this sets for international collaboration in fighting back against widespread criminal organisations. For years, cybercriminals have exploited the complexity of enforcing cybersecurity law across borders. This announcement today signifies major progress in closing those gaps and holding cybercriminals to account. It is an achievement for all of the countries involved in this collaborative effort and establishes a process whereby international cybercrime can be thwarted.</p>
<p>Emotet has consistently remained one of the most widely distributed malware families in recent years. While it was historically associated with banking fraud, since 2017 the malware has been leveraged to distribute spam and secondary malware payloads, which we believe was on behalf of a limited set of customers. Between October 2020 and January 2021, we observed Emotet distribute multiple malware variants that have been used to enable ransomware operations, so it is plausible that this Emotet disruption may reduce the immediate victim pool for ransomware deployment in the short term. Mandiant has observed threat actors rebuild their botnets following other takedown or disruption efforts, although the likelihood of this scenario hinges on the significance of the individuals who have been apprehended. Notably, the actors behind Emotet have existing partnerships with other notable malware operations, including Trickbot, Qakbot, and Silentnight. In addition to distributing these families as secondary payloads, we have occasionally observed Emotet being distributed by these families in the past. These existing partnerships and renewed spamming could be leveraged to rebuild the botnet.</p>
<p>Botnets have been one of the most common malware deployment methods over the past decade, and Emotet, in particular, has been instrumental in spreading ransomware as a secondary payload, so we welcome the action taken by law enforcement agencies to knock it offline.<u></u><u></u></p> <p><u></u> <u></u></p> <p>However, given the distributed nature of Emotet and the legal impunity that its masters have operated with for years, it is doubtful that this operation will end it entirely. However, it will make this huge criminal enterprise more complicated and expensive to run and help strengthen the cross-border co-operation desperately needed in the fight against cybercrime.<u></u><u></u></p> <p><u></u> <u></u></p> <p>The evolution and volume of attack types emitting from botnets have been significant over recent years, and it\’s likely we\’ll continue to see others emerge in the future due to the scale of infection they can achieve and the financial rewards gained from them. The UK\’s National Crime Agency reported seeing over $10.5M moved by the group behind Emotet over a two-year period on just one Virtual Currency platform. Investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure, highlighting the size and scale of the operation.<u></u><u></u></p> <p><u></u> <u></u></p> <p>To protect against future botnet threats, organisations should ensure they have strong, reputable cybersecurity software in place that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple types of attacks at different stages of the attack cycle. They should also run regular security awareness and phishing simulations to ensure end-users know how to spot suspicious messages and threats.</p>