Feb 27, 20212 min read

International Police Coalition Takes Control of Emotet Botnet

By Kaden Pradhan

London, United Kingdom

The Emotet botnet had infected hundreds of thousands of systems before it was dismantled. (Photo Credit: Eurojust)

An international police alliance has seized control of and dismantled the Emotet botnet, which has been described as the world’s most dangerous and resilient malware. The coalition, led by the European police association Europol, collected thousands of computers running the software and disrupted the network’s infrastructure from the inside in a coordinated, global operation. The botnet, which according to one expert has caused millions of dollars in financial losses, will no longer be active.

The Emotet malware functioned by using a very common piece of software: Microsoft Word. Victims would receive a seemingly harmless “phishing” email from a fake version of a coworker, containing a Word document. When the user opened the document, they would be greeted with an innocuous, built-in Word notification asking them to “Enable Macros” to continue. If they did so, the botnet was granted access to the victim’s personal and sensitive data, as well as all their files. This could then be used as a springboard to hack their bank accounts or install ransomware on the computer. A consultant for Check Point Software, a leading provider of IT security, called Emotet “the most successful and prevalent malware of 2020, by a long way.”

Two weeks ago, Europol and its sister organization, Eurojust, launched one of the most ambitious anti-cybercrime operations in history. Intelligence and law-enforcement agents from the United Kingdom, the United States, Canada, France, Germany, the Netherlands, Lithuania and Ukraine simultaneously struck against the botnet both virtually and physically. Hundreds of servers maintaining and spreading the Emotet botnet were seized, and their computing power was redirected to disrupting the system that they worked for. Soon, at least half of Emotet’s cyber-infrastructure had been destroyed, rendering the botnet inactive. The investigators took control of the rest, systematically dismantling the network.

Intelligence officers worked non-stop in an international coalition fronted by the Europol police alliance. (Photo Credit: The Big News Network)

Many individual nations had been tracking Emotet, but before Europol united these countries, the botnet had always resisted their efforts to destroy it. The malware was protean, adapting over the years it had operated. It had been set up in 2014, originally as a “Banking Trojan,” but had continuously evolved. It was also the foundation for many other types of malware; as a “loader” function, it allowed many other species of dangerous software like TrickBot and Ryuk to be installed on a computer once it had finished, making it the go-to solution for many cyber-criminals. It was a polymorphic algorithm as well, meaning every time it was run, it changed its code slightly to make it harder for a uniform takedown. All this contributed to its immense resilience, and this is the reason it took a global force to finally overcome it.

Europol is now advising civilians to check if their accounts have been compromised by Emotet, using a new database created primarily by the Dutch National Police.