A syndicate of cybercriminals and hackers comprising what authorities have described as the “most dangerous malware” network in the world was dismantled by international authorities this week.
Police in the Netherlands, Germany, the United States, United Kingdom, France, Lithuania, Canada and Ukraine—working as part of a joint strike force coordinated by Europol—took control of several hundred internet servers that were being used to run and control Emotet: a service that gave cybercriminals unauthorised to computer systems around the world.
Europol described the network as a “go-to solution for cybercriminals” and a “a primary door opener for computer systems on a global scale”.
The hackers behind Emotet used automated emails to send malware to victims’ computers in the form of infected attachments. These attachments were typically disguised as innocuous but clickable documents such as invoices, shipping notices and COVID-19 public health information, thus luring recipients into opening them on their devices. Once the document was opened, victims were prompted to “enable macros”, which would install the malware.
What made Emotet particularly dangerous was the fact that, once installed on the victim’s device, this malware could then be offered for hire to top-level criminal groups, giving them access to the computer system so that they could then launch further attacks such as data theft and extortion.
Globally, it’s estimated that Emotet operators caused about $2.5 billion in losses as a result of their attacks on private and public institutions.
“[Emotet’s] unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild,” according to Europol. This resilience was further cemented by the network’s decentralised infrastructure, composed of hundreds of individual servers situated at different locations around the world.
Since as early as 2014, the network has evaded takedowns by international law enforcement and cybercrime authorities. Until this week.
Police agencies from at least eight different countries teamed up to disrupt and ultimately hijack Emotet’s facilities, taking control and bringing it down from the inside. Victims’ infected devices have since been redirected to the law enforcement-controlled infrastructure, and Ukraine's general prosecutor said police had carried out raids in the city of Kharkiv to arrest the hackers and seize their computers.
Police also seized large amounts of cash, gold bars and computer hard drives. Those arrested face up to 12 years in prison.
The bust is a major win for international cybercrime authorities—as Germany's Federal Criminal Police Office (BKA) noted in a statement, "Emotet is currently seen as the most dangerous malware globally.
"The smashing of the Emotet infrastructure is a significant blow against international organised internet crime,” they said.
A number of the servers currently under Dutch police control will send out a software update for Emotet that will deactivate the malware on infected systems, according to iTnews. That update also contains code to delete Emotet by March 25 this year—giving experts time to analyse existing computer infections and see what other kinds of malware might have been transmitted.
Follow Gavin on Twitter