NCA joins global operation to disrupt world’s most dangerous malware

The Emotet botnet was said to be one of the “biggest players in the cybercrime world” and allowed criminal gangs to install ransomware and steal data from computer users.

Europol, which coordinated this month’s week-long operation alongside Eurojust, said law enforcement teams gained control of the infrastructure and “took it down from the inside”.

It said this was a “unique and new approach to effectively disrupt the activities of the facilitators of cybercrime”, adding that the infected machines of victims have now been redirected towards this law enforcement-controlled infrastructure.

Authorities in the Netherlands, Germany, the US, France, Lithuania, Canada and Ukraine took part alongside the UK in the international operation, which saw the take-down actioned on Tuesday (January 26) and searches of properties take place in Ukraine. The NCA said it worked with law enforcement partners across Europe and North America for nearly two years to map the infrastructure of Emotet, which it described as “a pervasive malware that not only infected computers, but also enabled other malware to gain access and cause significant damage to victim networks”.

Europol said Emotet has been “one of the most professional and long lasting cybercrime services out there” and was offered for hire to other cybercriminals

“First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years,” said Europol. “The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.

Europol said the Emotet group managed to take email as an attack vector to “a next level”.

It added: “Through a fully automated process, Emotet malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about Covid-19.

“All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.”

What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer, said Europol.

It explained: “This type of attack is called a ‘loader’ operation, and Emotet is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.

“Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.”

Working with Emotet data, the NCA gained insight of the movement of illicit funds to pay for the infrastructure.

Analysis of accounts used by the group behind Emotet showed $10.5 million being moved over a two-year period on just one virtual currency platform. NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.

Further criminal servers identified by the NCA were also taken offline during the same operation, with at least 700 servers taken down globally with partners.

Nigel Leary, deputy director of the National Cyber Crime Unit, said: “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to 70 per cent of the world’s malwares, including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses.

“Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.

“This case demonstrates the scale and nature of cybercrime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically.

“Using our international reach, the NCA will continue to work with partners to identify and apprehend those responsible for propagating Emotet malware and profiting from its criminality”.

The infrastructure used by Emotet involved several hundreds of servers located across the world, all of having different functionalities to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against take-down attempts.

As part of a criminal investigation conducted by the Dutch National Police into Emotet, a database containing stolen email addresses, usernames and passwords was discovered. It said that as part of a “global remediation strategy” to notify those affected and begin the cleaning up of the systems, this information was being distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs).