For more than For half a decade, the malware known as Emotet has threatened the Internet, become one of the largest botnets in the world, and has been victims of data theft and crippling ransomware. Now, a massive global police investigation has culminated in the destruction of Emotet and the arrest of several suspected members of the criminal conspiracy behind it.
Europol today announced that a global coalition of law enforcement agencies in the US, Canada, UK, Netherlands, Germany, France, Lithuania and Ukraine had disrupted Emotet, calling it the “world’s most dangerous malware.” The global effort, known as Operation Ladybird, was coordinated with private security researchers to disrupt and take over Emotet’s command-and-control infrastructure – which, according to Ukrainian police, is located in more than 90 countries – and at the same time at least two Arrest Ukrainian cyber criminals. members.
A video of a raid released by Ukrainian law enforcement shows agents seizing computer equipment, cash and rows of gold bars from alleged Emotet operators. Neither the Ukrainian police nor Europol have named the arrested hackers or described their alleged role in the Emotet crew. A statement by Ukrainian authorities noted that “other members of an international hacker group who have used Emotet bot network infrastructure to carry out cyber attacks have also been identified. Measures are being taken to detain them.”
“The Emotet infrastructure essentially acted as a primary door opener for global computing systems,” Europol said on the operation. The international search and disruption operation, the statement said, “resulted in this week’s action whereby law enforcement and judicial authorities took control of the infrastructure and brought it down from within.”
According to the Dutch police, Emotet had caused a total of hundreds of millions of dollars in damage, while the Ukrainian police estimated the number at 2.5 billion dollars. The botnet had spread primarily through spam containing malicious links and documents infected with compromised Microsoft Office macros, and had become notorious for delivering everything from banking trojans to ransomware to victims’ computers.
The botnet’s operators had a reputation for being particularly adept at bypassing spam filters, said Martijn Grooten, an independent security researcher and former organizer of the Virus Bulletin conference that Emotet has been following for years. They used compromised mail servers to send their mass email bait and spread laterally within an organization’s network to gain a foothold on multiple machines after a victim grabbed the bait. Emotet’s operators also partnered with other cybercriminal gangs and sold access to people involved in theft and ransomware. It helped grow other big botnets like Trickbot, which infected more than a million computers before being partially disrupted by a coalition of the security industry and the US Cyber Command in October. “They were especially good at finding out about corporate defenses,” says Grooten. “You just click on a Word attachment, enable macros, and it turns out that access to your computer has been sold to a ransomware operator and your company gets ransomed $ 2 million.”