U.S. and European law enforcement agencies said Wednesday they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years.
Through the police and the courts, investigators from Ukraine to Germany to the U.S. took aim at the hundreds of computer servers that Emotet has used globally to defraud victims of millions through extortion and data theft.
The investigators “gained control of the infrastructure and took it down from the inside,” Europol, the European Union’s law enforcement agency, said in a statement. “The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.”
A video posted by Ukrainian police shows officers raiding an apartment and confiscating computer equipment as part of the Emotet bust.
“Through international cooperation, the FBI’s Charlotte field office and our partners were able to use legal authorities and technical tools to disrupt the Emotet infrastructure,” an FBI official told CyberScoop.
It’s a big blow to a botnet that has haunted the internet for years. Scammers have used Emotet for everything from a phishing campaign against potential U.S. Democratic Party volunteers, to more potent activity that distributes the notorious Ryuk ransomware to victims.
“What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans,” said Sherrod DeGrippo, senior director of threat research and detection at email security firm Proofpoint. “At this point, any mainstream banking trojan may lead to devastating ransomware attacks.”
The botnet has wreaked havoc on state and local institutions in the U.S. and abroad. The Department of Homeland Security has estimated that Emotet infections have cost U.S. state and local governments $1 million per incident to clean up. In Germany, private investigators told the Berlin high court to completely rebuild its computer systems after a 2019 Emotet attack.
Emotet typifies a “spray and pray” tactic popular with crooks who don’t discriminate in their targets. The malicious emails come in droves, sometimes hundreds of thousands a day. The dragnet makes it likely that at least some victims click on the malicious emails, offering the criminals a return on the investment.
“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” as Europol put it.
It’s unclear whether the criminals behind Emotet will be able to rebuild their operations. Botnets can be resilient; TrickBot, another big botnet, has survived big efforts to disrupt its operations from Microsoft and U.S. Cyber Command.
“Botnet takedowns are complicated operations, success often lies in not only seizing infrastructure but more so in arresting and detaining the main individuals behind the operation for a longer period of time,” said John Fokker, a former Dutch cybercrime investigator who is now head of cyber investigations for McAfee.
Here is a Ukrainian police video showing a raid on an apartment as part of the Emotet crackdown: