Europol has announced the disruption of the Emotet botnet, one of the longest-lived and most pervasive malware threats, following a large-scale operation that also included a number of national law enforcement agencies across Europe and North America.

Authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have banded together for the operation, which involved gaining control of the botnet’s infrastructure and taking it down “from the inside”, according to the European Union’s (EU) law enforcement agency.

“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime,” as Europol put it. The agency coordinated the effort together with Eurojust, the EU’s judicial agency.

In all, some 700 command-and-control (C&C) servers were taken offline, according to the UK’s National Crime Agency. Emotet’s operators used the servers to commandeer the compromised computers, launch new malicious campaigns and enhance the resilience of their infrastructure, among other things.

Two out of the botnet’s three main servers were located in the Netherlands, said the Dutch police, which nicknamed the disruption “Operation LadyBird”. More than a million compromised systems were detected worldwide, and they will now be cleansed of Emotet by automatically downloading a software update from servers operated by Dutch authorities.

The investigation also uncovered a database of 600,000 e-mail addresses, usernames and passwords stolen by the botnet’s operators, and the Dutch police have launched a page where people can check if their computer may also have been corralled into the botnet.

Meanwhile, police in Ukraine posted a video showing a raid on the home of a suspected Emotet operator. Reuters quoted Ukrainian authorities as saying that damage caused by Emotet totals US$2.5 billion.

A well-oiled botnet

First spotted as a banking trojan in 2014, Emotet soon established itself as a prominent player in the cybercrime-as-a-service economy, evolving into the malware equivalent of a Swiss army knife and causing untold damage to victims. Thanks to its modularity, the botnet was typically rented out to other criminals who were looking to implant additional payloads, including ransomware and banking trojans, on victims’ machines. Over the years, such threats ran the gamut and included Trickbot, a botnet that was disrupted in October of last year.

Emotet typically arrives under the guise of an innocuous looking email that, however, contains a malicious attachment or link and uses various convincing lures to dupe victims into opening the malware-laden file. After gaining an initial foothold in a network, it also has the worm-like ability to spread onto other computers within an organization’s network.

The botnet is also known for outbursts of spamming activity followed by months-long states of dormancy. It might, then, be tempting to think that the “beast” might actually never wake up again following an operation of this scale, but we should not lose sight of the fact that taking down a threat of such magnitude is an extremely complex task.

And its disruption is by no means a reason to let your guard down.

Further reading:

Over the years, ESET researchers have shed light on Emotet’s methods in several articles and have also looked at some of the latest iterations of Emotet’s campaigns in ESET Threat Reports.

Emotet botnet hits quiet patch before Black Friday – the calm before the storm?
Emotet strikes Quebec’s Department of Justice: An ESET Analysis
Analysis of the latest Emotet propagation campaign
Black Friday and Cyber Monday by Emotet: Filling inboxes with infected XML macros
Emotet trojan frustrated by ESET protection