Cybersecurity professionals around the globe let out a collective cheer with the takedown of the notorious EMOTET botnet, which required involvement from law enforcement agencies in eight different countries. The two questions many of cybersecurity professionals now have are what took so long and can such actions be replicated again.
This takedown of EMOTET was carried out under a European Multidisciplinary Platform Against Criminal Threats (EMPACT) framework set up in 2010 for EUROPOL by the member states of the European Union (EU). That framework has been used to arrest criminal gangs operating across borders, but success against cybercriminals has often proved to be more elusive.
The takedown was coordinated by Europol and Eurojust, which coordinates judicial actions across the EU. In this case, law enforcement agencies from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine all participated.
The EMOTET botnet gained notoriety because it leverages Microsoft Word documents infected with malware to gain access to PCs and harness computing power. The cybercriminals who controlled the botnet would then essentially rent out that network of systems to cybercriminals that would launch attacks, such as a ransomware attack, by piggybacking on the EMOTET botnet.
Hundreds of servers distributed across the world were at the core of EMOTET infrastructure. Law enforcement and judicial authorities said they gained control of that infrastructure, which enabled them to take it down from the inside. Infected machines have been redirected toward infrastructure controlled by law enforcement agencies, which effectively means cybercriminals can’t simply spin up new servers to relaunch EMOTET. Organizations are now being advised to scan their systems for EMOTET malware to make sure they are not compromised at some point in the future.
As part of the criminal investigation, a database containing e-mail addresses, usernames, and passwords stolen by EMOTET was discovered in the Netherlands. Individuals and organizations can check to see if their e-mail address has been compromised. As part of an effort to notify the owners of infected machines, information was distributed worldwide via the Computer Emergency Response Teams (CERTs) network.
What's next after the EMOTET takedown
It’s conceivable that cybercriminals could reconstruct servers in countries where law enforcement agencies are less inclined to collaborate with agencies outside their own borders, so agencies are anxious to help organizations rid systems of EMOTET malware.
Of course, EMOTET may be one of the best-known bots, but it’s hardly the only one. The challenge cybersecurity teams will continue to face is the prevalence of bots that are based on command-and-control systems beyond the reach of agencies such as EUROPOL. Cybercriminals may simply run to ground by constructing smaller botnets that operate in a federated manner only when necessary.
Cyberattacks launched via botnets result in trillions of dollars being drained from the global economy. Despite that damage, leaders of various nation-states will continue to focus on promoting agendas that in many cases count on the existence of rogue cybercriminals to disrupt rivals and steal intellectual property. That doesn’t make the taking down of the EMOTET botnet any less of a triumph, but it does make it crystal clear just how big a scourge those botnets really are.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.