The Emotet botnet, a major spreader of Windows malware and ransomware, has been taken down in a law enforcement crackdown.
On Wednesday, police agencies in Europe announced they had worked with the US to seize the main servers that controlled Emotet, which spread malware through phishing emails.
Law enforcement in Ukraine uploaded a video that shows them raiding a residence and uncovering the servers behind the operation. Two Ukrainian citizens suspected of running the servers were also nabbed.
Emotet began in 2014 as a strain of malware designed to steal people’s online banking login information. However, as Emotet spread, it also gained a foothold into thousands of computers, enabling it to become a botnet, or an army of infected machines.
The operators behind Emotet then began selling access to the botnet, giving cybercriminals a useful tool to spread other strains of malware through fake emails. “A variety of different lures were used to trick unsuspecting users into opening these malicious attachments,” Europol said. “In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.”
To infect a Windows machine, the emails usually contained an attachment or link to download a malicious Word file. “Once a user opened one of these documents, they could be prompted to ‘enable macros’ so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer,” Europol added.
Once a successful infection occurred, the Emotet malware would then provide a beachhead for cybercriminals to load other malware, including the infamous banking Trojan Trickbot and the notorious ransomware strain Ryuk.
The UK National Crime Agency says Emotet infected millions of computers worldwide and helped cybercriminals infiltrate thousands of companies. Investigators in Ukraine estimate banks in the US and Europe lost $2.5 billion due to the attacks.
The operators behind Emotet, meanwhile, made a fortune. “Analysis of accounts used by the group behind Emotet showed $10.5 million being moved over a two-year period on just one virtual currency platform,” UK authorities said. During the same period, the culprits spent at least $500,000 to maintain the IT systems behind Emotet.
The big question is whether law enforcement has seriously crippled Emotet for good. UK investigators say at least 700 servers behind the botnet have been taken down. But it remains unclear if all the operators behind the botnet were identified and arrested. Botnet-monitoring website Feodo Tracker shows that about 20 Emotet servers remain online.
In the meantime, law enforcement say they seized a database containing all the email addresses, usernames, and passwords the Emotet group stole. Police in Poland created a website that lets you check whether your account was ever compromised by the botnet.