For more than six years, the Emotet malware terrified the IT world. Now the authorities have pulled the plug on her. The operators had caused billions in damage – and made their pockets full in the process.
Hospitals, courts, city administrations and tons of private users: since 2014, the malware has caused gigantic damage around the globe. Now the spook should come to an end. At least for now. In a bundled action, authorities and security experts hijacked the malware’s control server. German authorities were also involved in the successful blow.
That’s what Arne Schönbohm, President of the Federal Office for Information Security (BSI), said at a press conference. In Germany alone, 17 servers were confiscated, and there were two arrests in Ukraine. The “king of malware” (Schönbohm) was pulled the plug in a two-year secretly planned joint action by international authorities and private security experts. Europol, authorities in the USA, Canada, France and Ukraine also took part in the “Operation Ladybird” led by the German and Dutch authorities.
“Door opener” Emotet
Emotet, also known as the “Swiss Army Knife of Malware”, drew its dangerousness from its flexibility. The malware spread via spam emails and was then able to take over computers and entire networks almost automatically via an underlying botnet. “The Emotet infrastructure basically worked like a first door opener,” explains Europol. And depending on the intended use, it could be used for blackmail, data theft or the import of additional malware.
“They were particularly good at getting behind the protective mechanisms,” “Wired” quotes security expert Martijn Grooten. But the operators did not carry out every operation themselves. Instead, like legal software companies, they rely on services as a source of income: Emotet and its clout were also rented out as an attack service.
How much money this brought in for the operators is suggested by a video from the Ukrainian police of the raid there. When the server operators were arrested, the officers not only seized computers, hard drives and other hardware, but also bundles of cash and even a collection of gold bars.
These revenues are certainly also due to the high-profile goals. In Germany, for example, the Fürth Clinic, the Berlin Court of Appeal, the Federal Real Estate Agency and the Frankfurt city administration were victims of Emotet. The damage in this country is estimated at around 14 million euros, worldwide between 200 million and 2.1 billion euros in damage. The takeover by the authorities surprised even experts. The operators had distributed their command and control servers for the botnet used for attacks to more than 90 countries; the identification of the servers took over two years. All servers were taken over in one fell swoop. According to the BSI, 17 servers in Germany alone were confiscated, and hundreds worldwide, according to Europol. The blow was made possible when the main control server in Ukraine was taken over by the authorities.
There is also good news for those already affected: According to the investigators, by taking over the command server, it was possible to render the malware harmless on infected systems by sending a command to all affected computers. Nevertheless, the Dutch police advise not to take an infection lightly and to take action against it with security software. With one tool it is possible check your own infection using your email address.
Is that the end?
It remains to be seen how sustainable the blow is. Not all suspects were arrested, reports Wired, citing the Ukrainian authorities. According to this, further members of the hacking group have been identified, but they are still being searched for. The backers are believed to be in Russia.
Should the malware and the necessary servers be recoverable for previously unknown members of the group, it might only be a matter of time before they revive the network or sell their knowledge on. This is what happened in the fall after a blow against TrickBot. However, the authorities currently seem optimistic. One “hope to have made a possible reconstruction of the Emotet network very difficult,” said participating experts “Wired”. “We found out how and where they create backups. And we have collected them all,” they said confidently. “Even if they are restored, we now have ways to combat it.”
But even the final disappearance of Emotet would not be a reason to breathe a sigh of relief. The investigators rightly called the action “a significant improvement in cybersecurity in Germany”, but Emotet is only likely to be replaced by another group in the long term. Until then, those involved can celebrate their victory.