Emotet, NetWalker and TrickBot have taken big blows, but will it be enough?
A trio of operations meant to disrupt ransomware outfits in recent months — two of which came to light this week — could have lasting impacts even if they stop short of ending the threat, security experts say.
Researchers are still sizing up the effects of recent busts of the Emotet and NetWalker gangs, but those operations have the potential to be more potent than last fall’s maneuvers against the TrickBot ransomware.
In research out Friday, Menlo Security — echoing similar conclusions from other cyber firms — said it saw signs of TrickBot recovering, but the rebound has amounted to just a “trickle.” U.S. Cyber Command and Microsoft had led separate efforts to disrupt the hacking infrastructure of TrickBot, a massive army of zombified computers. The fear was that the botnet could be used to carry out ransomware attacks afflicting the November elections.
This week’s two operations might be more promising still. U.S. and European law enforcement said they seized servers that the even more menacing Emotet botnet uses, complete with a video capturing a Ukrainian police raid on an apartment. Cybercriminals have used Emotet to distribute the Ryuk ransomware.
And U.S. and Bulgarian law enforcement cooperated to seize nearly half a million dollars’ worth of cryptocurrency from the NetWalker attackers, along with charging a man allegedly involved with NetWalker attacks and shutting down a website it uses to leak a sample of data to entice victims into paying up under the threat of releasing more.
Collectively, Emotet, NetWalker and TrickBot are associated with some of the most damaging and costly ransomware attacks of the past year.
Even those who don’t expect the operations this week will cease the attacks from those ransomware criminals found them meaningful.
“No one thinks that some combination of arrests and server seizures will drain the swamp completely and permanently,” Robert Chesney, a University of Texas law professor and former Justice Department official, said via email. “The idea instead is to have as much impact as possible at the margin, increasing the difficulty level and driving up costs (both financial and of the risk-of-jail sort) in order to reduce and disrupt the harm.”
In the case of TrickBot, Menlo Security said the signs of life were attacks that targeted the legal and insurance industries in North America. The attacks start via an email with a URL that takes the user to a compromised server that tries to coax people into downloading malware. Both the URL and the command and control server that it connects to have ties to TrickBot.
The new activity shows that “the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment,” Menlo Security said, following other signs of a TrickBot revival.
But given the difficulty TrickBot has had in recovering, “I think these takedowns in general are the right direction in which the security industry has to move towards,” said Vinay Pidathala, director of security research at the company.
There’s at least a degree of concern that Emotet might have better luck rebuilding, even if some cybersecurity experts believe the law enforcement actions against it are more damaging than what Cyber Command and Microsoft did to TrickBot.
The cybercriminals behind Emotet have forged relationships with other malware operations, said Kimberly Goody, senior manager of cybercrime analysis at Mandiant Threat Intelligence, a division of FireEye. That means the effectiveness of the Emotet disruption might depend on “the significance of the individuals who have been apprehended,” she said.
“These existing partnerships and renewed spamming could be leveraged to rebuild the botnet,” Goody said.
The cybersecurity firm Intel 471 is more pessimistic about an Emotet rebound, saying that it lacks “any sort of recovery mechanism.” But in a blog post this week, the company said the law enforcement action against Emotet is more significant than the earlier work to harm TrickBot.
“The difference between disruption and takedown boils down to criminals being put in handcuffs,” the company said.