With the removal from the air of servers behind the aggressive malware Emotet, an important blow has been struck in the fight against cybercrime: the Emotet infection is no longer active on the computers of more than 1 million victims worldwide. The take-down occurred this week in the extensive international police operation LadyBird. In it, the National Unit and the National Prosecutor's Office in the Netherlands are working together with police and judicial authorities in Germany, the United Kingdom, France, Ukraine, the United States, Canada and Lithuania. Two main servers were in the Netherlands and one outside.
Emotet has played a key role in the cybercriminal landscape in recent years. It is a so-called "modular malware family" that can install a variety of additional malware on systems, steal passwords from browsers and e-mail clients and is very difficult to remove. An infection of a computer with Emotet malware often comes about via an e-mail phishing attack. In the process, the victim is tricked into clicking on a rogue link, for example in a PDF file, or opening a Word file containing macros. The cybercriminals behind Emotet used different types of "bait" to trick unsuspecting users into opening the malicious attachments. For example, last year they pretended that email attachments contained information about COVID-19.
One of the things that makes Emotet so dangerous is that Emotet opens the door, so to speak, for other types of malware. Large criminal groups gained access to some of those systems for a fee to install their own malware on them. Concrete examples include the financial malware Trickbot and the ransomware Ryuk.
The damage caused by Emotet runs into the hundreds of millions of euros worldwide. Meanwhile, according to Dutch research, more than 1 million computer systems worldwide are known to have been infected by Emotet. The investigation also found 600,000 e-mail addresses with passwords.
The criminal organization behind Emotet spread the malware through a vast and complex network of hundreds of servers. Some servers were used to keep a grip on already infected victims and resell data, others to create new victims, and still others were used to keep police and security companies at bay.
A thorough and innovative detective investigation eventually mapped the entire infrastructure. Two of the three main servers were found to be located in the Netherlands, the third abroad. This week, they managed to take control of this network and deactivate the Emotet malware. A software update is placed on the Dutch central servers for all infected computer systems. All infected computer systems automatically retrieve the update there, after which the Emotet infection is quarantined.
Police used their hacking powers to penetrate and investigate Emotet's cybercriminal infrastructure. Simultaneous action in all the countries involved was necessary to effectively dismantle the network and thwart any reconstruction of it.
The international police operation has ensured that the Emotet infection is no longer active on victims' computers. With the Emotet checker, consumers and system administrators of companies and organizations can check whether their own devices and networks are infected and what to do if they are. This is because there may be numerous other rogue software, such as Trickbot and Ryuk, active on these devices via Emotet. Further tips on safe computing are provided.
Prosecutors and police launched a criminal investigation into Emotet in July 2019. The investigation into the criminal organization developing and distributing Emotet is still ongoing. The suspicions against those involved include computer breaking and stealing personal data. It is not yet known exactly how many individuals are involved. What is clear, however, is that the group is well organized and responds quickly to changing circumstances. This indicates how professional these criminal groups are. Police and law enforcement should therefore have proportionate resources and experts at their disposal.
Backup files were found on some of the servers examined. With the help of such backups, the perpetrators could be back in operation relatively quickly if their criminal infrastructure were taken down. The police hope this operation will seriously complicate any rebuilding of Emotet.
International cooperation is a prerequisite for success against such globally organized cybercrime organizations.
Since early 2020, the National Prosecutor's Office and the National Unit have been in close contact with Germany, France, the United Kingdom, the United States, Canada, Ukraine and Lithuania in this operation through Europol and Eurojust. There is also cooperation with various private parties and non-profit organizations and with the Dutch National Cyber Security Centre.
The international cooperation of public and private organizations is aimed at identifying and prosecuting suspects, collecting evidence, seizing virtual currency and stopping, disrupting and preventing serious crimes. Criminal law enforcement in the digitally connected world is of great importance. It is essential for citizens' confidence in digital technology and our rule of law.
