Emotet Takedown Disrupts Vast Criminal Infrastructure; NetWalker Site Offline

The virulent malware known as Emotet – one of the most prolific malware strains globally – has been dealt a blow thanks to a takedown by an international law-enforcement consortium.

Meanwhile, the NetWalker ransomware may also have been subjected to disruption, according to reports on Twitter.

What’s confirmed is that authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States have worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The effort eliminated active infections on more than 1 million endpoints worldwide, they said.

Emotet is a loader-type malware that’s typically spread via malicious emails or text messages. It’s often used as a first-stage infection, with the primary job of fetching secondary malware payloads, including Trickbot, Qakbot and the Ryuk ransomware. Its operators often rent its infrastructure to other crime groups for use in achieving initial access into corporate networks. With an average rate of 100,000 to a half-million Emotet-laden emails sent per day, Europol has dubbed it the “world’s most dangerous malware.”

An Emotet snapshot (click to enlarge). Source: Europol.

“It is a so-called ‘modular malware family’ that can install all kinds of additional malware on systems, steals passwords from browsers and email clients, and is very difficult to remove,” according to an announcement from Dutch police issued on Wednesday. “One of the things that makes Emotet so dangerous is that Emotet opens the door to other types of malware, as it were. Large criminal groups were given access to some of those systems for payment to install their own malware. Concrete examples of this are the financial malware Trickbot and the ransomware Ryuk.”

The infrastructure that international police seized was wide-ranging, authorities said. “Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay,” according to the Dutch police.

An announcement from Europol added, “The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.”

The Dutch authorities also found a database of around 600,000 stolen email addresses with passwords lurking on one of the servers; people can check to see if they’ve been compromised via a special checker website.

Details on how Operation LadyBird specifically worked are scant, but Europol noted: “Law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.  This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Meanwhile, criminal investigations are continuing globally in an effort to track down the individuals responsible for the Emotet scourge, according to Europol.

“The result here is gratifying, but the havoc Emotet wreaked across numberless networks in seven years is alarming,” Hitesh Sheth, president and CEO at Vectra, told Threatpost. “We’ve got to aspire to more international cooperation for cybersecurity plus better response time. None of us know how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”

Permanent Takedown?

Of course, takedowns are no guarantee that a malware operation will remain permanently disrupted, as demonstrated by the Trickbot operation last fall; after that dismantling effort, Trickbot returned to the scene within two months.

“Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever,” said Brandon Hoffman, CISO at Netenrich, speaking to Threatpost. “Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods. There is a lot that we know about Emotet and we can apply those learnings for future defense, ideally providing earlier detection/prevention.”

According to Europol, in this case the agencies were able to seize the assets that would make a comeback possible for the malware’s operators.

“Back-up files were found on a few examined servers,” according to the alert. “With the help of such back-ups, the perpetrators can be operational again relatively quickly if their criminal infrastructure is taken down. The police hope that this operation will make a possible reconstruction of Emotet seriously difficult.”

Stefano De Blasi, threat researcher at Digital Shadows, told Threatpost that this latest Europol operation “holds the promise of having caused severe disruption to Emotet’s networks and command-and-control infrastructure.” He noted, “The ‘new and unique approach’ of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer down time for Emotet.”

Nonetheless, he agreed that it is unlikely that Emotet will cease to exist altogether after this operation.

“Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure – just like the TrickBot operators did.”

Constantly Evolving Emotet

Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, is a top threat, accounting for 30 percent of malware infections worldwide.

It continues to add functionality, such as the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device; the ability to spread via SMS messages; and the use of password-protected archive files to bypass email security gateways.

Palo Alto Networks also reported to CISA last year that researchers are now seeing instances of “thread jacking” – that is, intercepting an existing email chain via an infected host and simply replying with an attachment to deliver the malware to an unsuspecting recipient.

And the threat isn’t limited to desktop computers. Steve Banda, senior manager of security solutions at Lookout, told Threatpost Emotet has gone mobile in the past few months, too.

All of the activity led the Feds in the fall to issue a warning that state and local governments needed to fortify their systems against the trojan.

“Emotet’s relevance on the cyber-threat landscape cannot be overstated,” Digital Shadows’ De Blasi said. “Emotet operators frequently modified the techniques used by this botnet to obfuscate its activity and increase its distribution; social-engineering attacks such as spear-phishing emails containing malicious attachments have been one of the most successful tactics employed by Emotet.”

Possible NetWalker Disruption

Meanwhile, the NetWalker ransomware appears to be impacted by a law enforcement action.

No statements have been issued on the part of law enforcement to confirm any action, but the Dark Web site that the ransomware uses to publish the data it steals during its campaigns is displaying a purported seizure notice, researchers are reporting on Twitter.

Confirmed can’t access the netwalker leak site, but didn’t see the same message. I just get “try again later”!

Big day for international law enforcement cooperation indeed! https://t.co/TyvzhfWVCY

— Selena (@selenalarson) January 27, 2021

The notice claims that the FBI and the national police force of Bulgaria have worked together to sinkhole the sites. However, it could be a hack of the site by a rival or a hoax — it’s unclear what the facts are at the time of publication. One person tweeted that she was being taken to a 404 page rather than the legal action notice when trying to access the site.

Threatpost is working to confirm the action and will update this post as more information becomes available.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!