Ruslan Grumble - Fotolia

Emotet taken down in global law enforcement operation

Ukraine's National Police said two citizens of Ukraine face up to 12 years in prison for their role in maintaining and operating Emotet, and other suspects have been identified.

The infamous Emotet botnet operation has been disrupted, thanks to an international operation coordinated by Europol and Eurojust.

Emotet's infrastructure has been taken over as part of an "international coordinated action" between law enforcement agencies in Canada, France, Germany, Lithuania, Netherlands, Ukraine, the United Kingdom and the U.S., "with international activity coordinated by Europol and Eurojust" according to a Jan. 27 press release by Europol.

According to the release, the Emotet infrastructure comprised "several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts."

The takedown itself required a "unique and new approach" on the part of law enforcement.

"To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week's action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime," the press release read.

A Europol spokesperson told SearchSecurity that "this was indeed a purely law enforcement takedown," when asked about whether any assistance was given by private technology or cybersecurity companies.

According to a news release by Ukraine's National Police (translated via Google Translate), two citizens of Ukraine were identified "who ensured the proper functioning of the infrastructure for the spread of the virus and maintained its smooth operation." However, Ukraine authorities did not publicly identify the suspects in the announcement.

"The perpetrators face up to twelve years in prison with confiscation of property. Other members of an international hacker group who used the infrastructure of the EMOTET BOT network to conduct cyberattacks have also been identified. Measures are being taken to detain them," the release reads.

Commenting on its role in the joint operation, Serhiy Kropyva, First Deputy Head of the Cyber Police Department, referred to Ukrainian law enforcement as "the locomotive of the operation."

Because Emotet was first discovered as a banking Trojan in 2014, the threat has evolved over the years to refer to its numerous botnets and related phishing campaigns. After Emotet would open doors into users' systems, it would sell access to additional threat actors, including ransomware gangs.

Last July, Emotet was hacked by unknown individuals, with multiple distribution files replaced by humorous GIFs. In addition, Emotet has frequently rated at the top of Check Point's "top malware families" list in their Global Threat Index (as recently as December). Tenable also called Emotet one of the four most prolific malware strains last year in its "2020 Threat Landscape Retrospective."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Security operations and management