The Emotet botnet was taken down last week thanks to a coordinated international effort. Considered one of the most prolific malware botnets, Emotet evolved from a banking trojan to a pay-per-infection business, showcasing advanced spreading techniques. While we might see a dip in global malware infections in the short term due to the takedown of the backbone infrastructure, there is little to no doubt that the operators and masterminds behind Emotet will return in some form.
A coordinated multinational Europol effort has successfully taken down the Emotet infrastructure, the backbone of a botnet operation that infected millions of computers worldwide and has caused damages estimated from several hundreds of millions of dollars to $2.5B. In a video released from the raid of a Ukrainian Emotet operation center, viewers can see the hardware used by the criminals as well as cash from different countries, passports and bars of gold and silver.
Emotet has emerged as a banking trojan in 2014 but has since evolved, both on the technical as well as the business side. While maintaining its data stealing capabilities, Emotet’s business has expanded to a pay-per-infection service. Once Emotet infected a large enough number of computers it became a loader for other types of malware (think about it like a NASCAR racer who gets paid for putting stickers from different sponsors on their car – other cybercrime groups pay the Emotet team to spread their malware) and Emotet’s operations changed from pure banking malware to Malware as a Service (MaaS).
How Emotet Was Removed
Emotet’s takedown is not the first, nor the last, botnet takedown operation. It takes a significant amount of time and effort to takedown a botnet as well as a decision that taking it down will be more beneficial than monitoring and studying it. From past experience with botnets and cybercrime forums we know that a takedown ultimately results in an evolution in the operator’s capabilities, such was the case with multiple dark markets like Deep Dot Web as well as with malware like Trickbot.
When a law enforcement agency decides to take down such an operation it targets one (or more) of three components – People, Process and Technology – which are common to any business. In Emotet’s case the main target was the technology, the infrastructure used by the botnet for command and control. Other botnets were stopped by having their operators arrested, such was the case with Mirai, Satori and multiple DDoS botnets. It is worth noting that two Emotet operators have been arrested and are facing 12 years in prison.
The third component is the process, several botnets have been taken down by creating a kill switch for the malware that was distributed. These sinkhole tactics for botnet takedown are a good example of malware evolution as they were the trigger for the creation of P2P botnets (a decentralized method for botnet operation, GameOver Zeus being a prime example of one such botnet).
The Impact of Emotet Removal
For all the above reasons the biggest effect of the Emotet takedown will be in the short term. With the Emotet MaaS business gone, enterprises and individuals will suffer less malware infections. This means less info stealers, less Ransomware and spam bots. The flip side, in the short term, is that the operators of the malware that was spread by Emotet may fear their malware will be identified as well and may shift gears with their attacks and Ransomware demands. However, in the long term, it is highly unlikely that the masterminds behind this operation will decide to change their ways and become law abiding citizens. Chances are they will take their time to regroup and prepare their future criminal activities.
Emotet and other malware use various techniques to evade detection. These includes polymorphism (the process of having a different signature for every infected bot), WiFi infection vectors and malicious attachments amongst others. EDR alone is no match for advanced attacks and malware. Cato Network’s Shay Siksik has detailed the need for MDR in his blog about Sunburst. The future of fighting these types of threats starts with changing the current, siloed, point solution approach for cyber security to a converged, shared context solution architecture.