In an extraordinary broad, well-coordinated and timed collaboration, law enforcement agencies of eight countries and the Europol have teamed together to takedown the globally distributed infrastructure Emotet had nurtured over the years.
While the Europol’s announcement might seem trivial and abstract to some, only valuable to cyber researchers like us, it is worth noting that throughout 2020, Emonet potentially affected one out every five organizations worldwide. Often unaware, the infected companies had increased chances of being victims of ransomware. This news reflects the importance of global cyber task forces and joint interests to protect the public from cyber-threats that have caused losses of millions of dollars in damages and disrupted business globally.
Emotet, which was once a Banking Trojan and became a full-blown botnet was the most successful and prevalent malware of 2020 by a long way. Data from Check Point Research’s ThreatCloud, shows that over the course of last year, Emotet impacted the networks of 19% of organizations globally. Check Point’s latest Global Threat Index even revealed that the Emotet Trojan had returned to first place in the December top malware list, impacting 7% of organizations globally that month, following a spam campaign, which targeted over 100,000 users per day during the holiday season.
The botnet earned its reputation for its not only dynamic nature and unique technical features, but also because of the highly organized criminal business model, it developed. Instead of acting alone, the threat actors behind Emotet chose to collaborate with other organized cybercrime groups like Trickbot and Ryuk ransomware, and together they became very effective partners in crime.
In this vicious coalition, Emotet, through its broad worldwide infrastructure, was responsible for gaining the first foothold within companies and organization all around the globe. This large base of infections was then sold to other cybercrime operations such as Trickbot, which was responsible for broadening the foothold within the compromised networks by lateral movement, dissecting and mapping them into industries and companies, and in turn selling those infected networks onto ransomware players such as Ryuk, leading to some very high profile and publicized cases.
This has been the infrastructure behind the ongoing success of ransomware attacks in recent years.
In November, Check Point Research found that Trickbot and Emotet laid the foundations to ransomware attacks against hospitals and healthcare providers globally, driving a spike in ransomware attacks worldwide. This is being done due to the abilities described here.
In 2020 the Emotet botnet, which lured victims through phishing emails, sent over 150,000 different email subject lines. The botnet constantly adjusted its phishing emails to reflect victims’ interests and capitalize on global events (e.g. the Covid–19 pandemic or major shopping seasons such as Black Friday).
So far, very little information has been publicly shared regarding the extent of this takeover. According to Europol´s statement in the hours following the joint statement, evidence began to appear online of possible arrests made alongside takeovers of offensive infrastructure. If this evidence is conclusive, the damage to the Emonet infrastructure could be fatal. However, it is yet too early to determine. Europol’s announcement shows how close co-operation between security researchers, software vendors, law enforcement and government agencies can mitigate and even eliminate major cyber-threats and disruptive attacks which can impact all of our lives. Based on these successes, we are optimistic that 2021 will give many more positive examples of how cyber-threats are being overcome.
Emotet activity peaked this year during August-October with an average of 47,000 infection attempts spotted each month. In November, this number dropped to under 700 after Emotet took a short break. In the last two months, Emotet has been active with around 10,000 per month, which is almost 80% lower than the amount seen earlier.
In parallel, we have also seen over 40% decrease in new Emotet C&C communication in the past 2 months vs. the peak period