For more than half a decade, the malware known as Emotet has menaced the internet, growing into one of the largest botnets in the world and targeting victims with data theft and crippling ransomware. Now a sprawling, global police investigation has culminated in Emotet’s takedown and the arrest of multiple alleged members of the criminal conspiracy behind it.
Europol announced today that a worldwide coalition of law enforcement agencies across the US, Canada, the UK, the Netherlands, Germany, France, Lithuania, and Ukraine had disrupted Emotet, what it called the “most dangerous malware in the world.” The global effort, known as Operation Ladybird, coordinated with private security researchers to disrupt and take over Emotet’s command-and-control infrastructure—located in more than 90 countries, according to Ukrainian police—while simultaneously arresting at least two of the cybercriminal crew’s Ukrainian members.
A video of a raid released by Ukrainian law enforcement shows officers seizing computer equipment, cash, and rows of gold bars from alleged Emotet operators. Neither Ukrainian police nor Europol has named the arrested hackers or detailed their alleged role in the Emotet crew. A statement from Ukrainian authorities notes that “other members of an international hacker group who used the infrastructure of the Emotet bot network to conduct cyberattacks have also been identified. Measures are being taken to detain them.”
“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” reads a Europol statement about the operation. The international investigation and disruption operation, the statement reads, “resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.”
According to the Dutch police, Emotet had caused hundreds of millions of dollars in total damages, while Ukrainian law enforcement put the number at $2.5 billion. The botnet had spread mainly through spam containing malicious links and documents infected with tainted Microsoft Office macros, and had become notorious for delivering everything from banking trojans to ransomware to victims’ machines.
The botnet’s operators had a reputation for being particularly skilled at evading spam filters, says Martijn Grooten, an independent security researcher and former organizer of the Virus Bulletin conference who has tracked Emotet for years. They used compromised mail servers to send their mass email lures, and spread laterally within an organization’s network to gain a larger foothold on multiple machines after a victim took the bait. Emotet’s operators partnered with other cybercriminal gangs, too, selling access to those focused on theft and ransomware. It helped grow other large botnets like Trickbot, which infected over a million computers before it was partially disrupted by a security industry coalition and US Cyber Command in October. “They were particularly good at getting behind companies’ defenses,” says Grooten. “You just click on a Word attachment, enable macros, and it turns out access to your computer was sold to a ransomware operator and your company gets ransomed for $2 million.”