Thursday marked a rare day where law enforcement agencies around the world hit back in the war against ransomware attackers.
Europol announced a takedown of infrastructure used to run the Emotet botnet in a joint operation with law enforcement organizations from the U.S., U.K., Canada, the Netherlands, Germany, France, Lithuania, and Ukraine. According to a release, authorities seized an undisclosed number of servers, computers and other devices used by Emotet, which functions as both a bot network and a popular form of malware used by ransomware actors to gain early stage access into a victim’s network. Machines infected by Emotet malware are now redirecting traffic to infrastructure controlled by law enforcement.
According to analysis from Check Point, Emotet was among the most popular malware variants seen in 2020, accounting for 7% of the organizations attacked for the month of December and 100,000 users every day as Christmas and New Year’s approached. After similar stints on top in September and October, the trojan saw a dropoff in November before roaring back ahead of the holidays.
Europol authorities said Emotet’s malware-for-hire business model and its prominent place in the ransomware ecosystem made it a high-priority target for law enforcement. During the operation, Dutch National Police acquired a database used by Emotet operators containing stolen email addresses, usernames and passwords, and Dutch authorities have set up a website that lets visitors check if their email address was among those compromised.
“It's a unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network,” the Europol release stated.
It remains to be seen what impact the takedown will ultimately have on Emotet and its operations. A previous takedown of infrastructure related to Trickbot yielded mixed results. However, some threat intelligence experts say there may be reason to hope that this operation could have a more durable effect on Emotet.
“At this stage, it’s difficult to tell what this global action will bring. Law enforcement events can have and previously have had variable impact on disrupting the technology and operators of these large-scale botnets,” said Sherrod DeGrippo, senior director of threat detection at Proofpoint in a statement.
“Considering this appears to be a law enforcement action on the backend infrastructure of the Emotet botnet, this really could be the end. Further to this, if the threat actors behind the botnet (TA542) were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.”
The operation also included private sector entities. In a blog, Team Cymru, a cybersecurity company that aggregates and analyzes malicious network traffic, said they worked with law enforcement agencies in the latter stages of the takedown, specifically helping to block parts of Emotet’s infrastructure that couldn’t be legally seized by authorities.
“In some countries, Emotet’s activities aren’t illegal — unless that country’s citizens are victims,” wrote James Shank, chief architect of community services and senior security evangelist at Team Cymru. “International law enforcement collaboration varies between countries. Add to this that some hosting providers may have ties to criminal enterprise [and] serving papers on upcoming activity may become a signal that allows the actors to get away.”
According to Shank, Emotet is actually comprised of three distinct botnets that communicate with over 100 different domain controllers. Along with Cryptolaemus, a collection of security researchers focused on Emotet, Team Cymru helped sort which domain controllers were seized by law enforcement and which were still controlled by Emotet. They passed that information along to network operators, who helped block the remaining active controllers, forcing them to cycle through the list until it eventually connects with a server controlled by law enforcement.
“On Tuesday, Jan. 26, 2021, available controllers talking like Emotet Tier 1 controllers dropped to zero,” Shank wrote. “Team Cymru’s monitoring confirmed that they dropped from over 100 to zero in a really short timeframe.”
In a follow up, Shank told SC Media that the voluntary, collaborative posture taken by different private and public stakeholders is what sets this takedown apart from others.
"Many take downs rely solely on legal paperwork with compulsory action," he said. "Paperwork was used in this effort, but the bulk background story to this effort was a group of individuals motivated by one or both sides
of the same effort: make life hard for the criminals or protect the
innocent."
Meanwhile the same day, the FBI announced a coordinated action against one member of another ransomware group, Netwalker. The bureau unsealed an indictment in a Florida court for Canadian national Sebastien Vachon-Desjardins, who is alleged to have received more than $27 million in ransom payments as part of Netwalker. It also disclosed the Jan. 10 seizure of more than $450,000 in cryptocurrency ransom payments and seized control of the dark web leak site the group operates in conjunction with Bulgarian authorities.
“This case illustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking them, and holding them accountable for their alleged criminal actions,” said Michael F. McPherson, special agent in charge of the FBI’s Tampa Field Office, in a statement.