We won the battle but not the war

Blog Cybersecurity Phishing
Pic Source: via Unsplash

In recent years, the malicious botnet Emotet has regularly topped the rankings of the most dangerous cyberthreats. Now the malware, which had been spreading as a Trojan since 2014, has been rendered harmless as part of a concerted effort by Europol and the BKA. What does this mean for the current threat situation? Is the danger of cyberattacks now less? Yes and no, because there are still countless other attackers and cybercriminals lurking out there.

As recently as last year, the notorious malware led the Global Threat Index 2020 as the most dangerous malware at present. Almost 20 percent of all German companies were affected by it in December. Last summer, another 100,000 users fell victim to an Emotet-infected spam campaign. At the Berlin Court of Appeal, for example, Emotet caused a total IT disaster. The court had to be disconnected from the Berlin state network. The malware had also caused considerable damage at the Fürth Clinic and at the Frankfurt am Main city administration – and also to tens of thousands of private individuals. Investigators estimate that at least 14.5 million euros in damage was caused in Germany alone.

Door opener for further malware

The perfidious thing about Emotet: The malware acts as a door opener for further malware. Thus, it not only stole data, but also opened the backdoors for further malware. Formerly used as a banking Trojan, Emotet recently served more as a spreader of other malware or entire campaigns. It used various methods to stay operational and knew evasion techniques to avoid detection.

“At its core, the ‘Emotet’ infrastructure functioned like an initial door opener into computer systems on a global scale,” the agency said. “The system was uniquely capable of infecting entire networks just by gaining access to a few pieces of equipment.” A Word document, often disguised as an innocuous-looking attachment to an email or even a link, was used to break into the system, Europol described.

Once illegal access was gained, it was sold to cyber criminals. These in turn were able to infiltrate their own Trojans in order to gain access to bank data, resell captured data, or extort a ransom for blocked data.

BKA: Emotet infrastructure under control and destroyed

Last Wednesday, the Trojan’s activities came to an end: the Federal Criminal Police Office (BKA) and the Frankfurt General Prosecutor’s Office announced that German investigators and an international group of investigators had managed to render the criminal software harmless as part of a concerted effort. Police agency Europol said the global infrastructure on several hundred computers was first brought under control and then destroyed. The operation lasted more than two years. It was carried out under German and Dutch leadership with investigators from a total of eight countries. The dismantling was carried out together with law enforcement agencies from the Netherlands, Ukraine, Lithuania, France, the United Kingdom, Canada and the United States, the BKA said.

Investigators had initially identified various servers in Germany that were used to distribute the malware, and later others in other European countries. In Germany alone, investigators have so far seized 17 servers. In Ukraine, law enforcement initially took control of the Emotet infrastructure at one of the suspected operators. As a result, the press release says, “it was possible to render the malware on affected German victim systems unusable for the perpetrators.” In other words, where Emotet had already penetrated a system, the malware was moved so that it could no longer cause damage. In addition, it could only communicate with servers that were operated to preserve evidence.


Emotet has been one of the “most dangerous tools for cyber attacks” in recent years, a Europol spokeswoman said. Emotet’s criminal business model could be described as “malware-as-a-service,” she said. It has provided more criminals with the basis for targeted cyber attacks, she said.

“Law enforcement has managed to take over the infrastructure,” said Monika Bubela, cyber security specialist at Perseus, describing the investigators’ access, “which means that the infected machines are now forwarded to law enforcement and not to the criminals. In simple terms, we can say that the criminals have lost access to the infected infrastructure and the further spread of the malware has been prevented. The Dutch police have also managed to recover a database of stolen emails so that users can check if their emails were affected.”

Has the threat of cyberattacks now been significantly reduced as a result?

“The significance of this blow against cybercriminals is very great, because Emotet was one of the most active and hardest malware to remove, and it spread easily, Bubela said, “So at the moment Emotet is “pacified” and on hold, so it’s no longer a threat.”

At least for now: it’s entirely possible that Emotet could have reloaded other malware into the infected systems in time. And they could remain active. The “Trickbot” case has also shown that shutting down the infrastructure does not necessarily mean the end of criminal activity: crippled in October, the banking Trojan was active again just four weeks later.

Does this mean that Emotet is finally over?

Even BSI President Schönbohm does not consider Emotet to be a settled problem yet. “If you receive information from your provider about an Emotet infection on your systems, please take it seriously,” he informed, referring to his agency’s assistance.

“Clean up your systems! If Emotet has infected your systems, we have to assume that other malware has managed to do the same.”

The question is whether Emotet operators – assuming they are not detained – will build a new infrastructure. At the very least, that rebuild would take a lot of time – and money. So this concentrated blow to cybercrime has at least provided a breather.