Botnet takedown brings short-term celebration, long-term concerns

Emotet—one of the world’s most dangerous botnets and a vector for malware and ransomware attacks—suffered a major setback nearly two weeks ago when an international law enforcement collaboration disrupted its infrastructure. But security researchers warn the malware and its operators may still prove to be a threat, and its takedown may give other attackers a chance to grow.

The takedown was no small task: Authorities including Europol, the FBI, and the UK’s National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine, teamed up to bring down one of the world’s most prolific and dangerous botnets.

As of December 2020, Emotet was the world’s most popular malware, affecting 7% of organizations globally, Check Point research found. Its massive presence made it an appealing vector for attackers who wanted to deploy widespread malware and ransomware campaigns.

“Emotet, in a way, was by far the most successful botnet ever invented,” says Lotem Finkelsteen, Check Point’s head of threat intelligence. Several factors drove the botnet’s growth: its tactics for infecting devices that enlarged its infection base; the attackers’ ability to tailor phishing attacks to current events; and attackers’ use of infected devices to send spam over a corporate network.

By the time law enforcement intervened, Emotet involved several hundred servers around the world. The botnet had infected more than 1.6 million machines and caused hundreds of millions of dollars in damage, the Department of Justice reported following its disruption.

Now, officials have gained control of Emotet infrastructure and taken it down from the inside. Infected devices have been redirected to law enforcement-controlled infrastructure, which will limit the spread of Emotet because attackers won’t be able to sell access to affected computers.

“The current operations are mostly disrupted, the operations that were in the near future are, of course, disrupted. … In that sense, there’s a massive win,” says Stefano DiBlasi, threat researcher with Digital Shadows. Experts agree that Emotet’s takedown is good news for the security community; however, they remain concerned about what could happen in the future.

This isn’t the first time we’ve seen the disruption of a major botnet. A few months before the Emotet operation, security firms and financial groups collaborated to disrupt Trickbot. But the effects didn’t last; shortly after, activity from the botnet proved its resistance to takedowns.

To read the complete article, visit Dark Reading.