On January 27, 2021, it has been announced that a coordinated effort by several law enforcement authorities has led to effective disruption of Emotet operations.
What is Emotet?
The Emotet group has been around for half a decade and has evolved its footprint in the cybercrime world from a banking Trojan to running lucrative business serving other threat actors. Similar with related groups, the Emotet group acts as a mafia-like structure and delivers attacks with a high degree of organization.
Emotet has successfully attacked a wide variety of companies worldwide and regularly made it to the news headlines. As a result, they are active in the digital underground where access to stolen data from their victims can be traded or bought. Beyond this offer, they also sell access to their victims’ compromised networks to other cybercriminals.
It is not surprising to observe other pieces of malware or further attacks being delivered to organizations which are already compromised via Emotet as these malware-as-a-service or crime-as-a-service business models are leveraged. For example, Emotet was associated to other threats including Trickbot and Ryuk malware, the latter representing one of the most notorious ransomware family.
Below is a typical infection chain involving the delivery of Emotet:
What has been achieved by the authorities of eight (8) countries in coordination by Europol and Eurojust is to be highly valued and celebrated accordingly. It also highlights that those authorities are quite effective against cyber criminals. By having taken over the IT infrastructure of Emotet, this coordinated effort will surely lead to an interruption of Emotet group activities.
However, this big win does not mean the end of the Emotet group activities and surely not the end of cybercrime. Without any further information on the status of investigation, it cannot be predicted how decisive it was. Trend Micro is monitoring the situation and will report soon about the impact of this operation.
The Emotet group is faced with the same problem of its victims, that is resilience. Its business model is very profitable and has been proven to work, so there is no doubt that in some way or another, the void will be filled up again.
Protecting your environment
While related cybercrime activities may decrease, it is time to review your security status and ensure proper countermeasures are in place. This includes enhancing visibility of suspicious activities that may be indicator of compromise. Trend Micro Vision One may help you to achieve this.
On the otherhand, having taken over Emotet infrastructure, authorities are able to communicate back to Emotet compromised systems. The authorities has triggered the uninstallation of Emotet "agents" on April 25, 2021. It is highly recommended to look for Emotet-related activities within your environment prior to this date. This task might be more difficult after the said schedule.
Note that a service has been provided by the Dutch Police that allows you to check if some data related to a specific email address has been leaked out.
If you need further assistance, please contact Trend Micro Technical Support.