Emotet Takedown Disrupts Vast Criminal Infrastructure; NetWalker Site Offline

emotet takedown

Hundreds of servers and 1 million Emotet infections have been dismantled globally, while authorities have taken NetWalker’s Dark Web leaks site offline and charged a suspect.


The virulent malware known as Emotet – one of the most prolific malware strains globally – has been dealt a blow thanks to a takedown by an international law-enforcement consortium.

Meanwhile, the NetWalker ransomware has also been subjected to partial disruption, according to the U.S. Department of Justice.

On the Emotet front, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States have worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The effort eliminated active infections on more than 1 million endpoints worldwide, they said.

Emotet is a loader-type malware that’s typically spread via malicious emails or text messages. It’s often used as a first-stage infection, with the primary job of fetching secondary malware payloads, including Trickbot, Qakbot and the Ryuk ransomware. Its operators often rent its infrastructure to other crime groups for use in achieving initial access into corporate networks. With an average rate of 100,000 to a half-million Emotet-laden emails sent per day, Europol has dubbed it the “world’s most dangerous malware.”

An Emotet snapshot (click to enlarge). Source: Europol.

“It is a so-called ‘modular malware family’ that can install all kinds of additional malware on systems, steals passwords from browsers and email clients, and is very difficult to remove,” according to an announcement from Dutch police issued on Wednesday. “One of the things that makes Emotet so dangerous is that Emotet opens the door to other types of malware, as it were. Large criminal groups were given access to some of those systems for payment to install their own malware. Concrete examples of this are the financial malware Trickbot and the ransomware Ryuk.”

The infrastructure that international police seized was wide-ranging, authorities said. “Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay,” according to the Dutch police.

An announcement from Europol added, “The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.”

The Dutch authorities also found a database of around 600,000 stolen email addresses with passwords lurking on one of the servers; people can check to see if they’ve been compromised via a special checker website.

Details on how Operation LadyBird specifically worked are scant, but Europol noted: “Law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.  This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Meanwhile, criminal investigations are continuing globally in an effort to track down the individuals responsible for the Emotet scourge, according to Europol.

“The result here is gratifying, but the havoc Emotet wreaked across numberless networks in seven years is alarming,” Hitesh Sheth, president and CEO at Vectra, told Threatpost. “We’ve got to aspire to more international cooperation for cybersecurity plus better response time. None of us know how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”

Permanent Takedown?

Of course, takedowns are no guarantee that a malware operation will remain permanently disrupted, as demonstrated by the Trickbot operation last fall; after that dismantling effort, Trickbot returned to the scene within two months.

“Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever,” said Brandon Hoffman, CISO at Netenrich, speaking to Threatpost. “Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods. There is a lot that we know about Emotet and we can apply those learnings for future defense, ideally providing earlier detection/prevention.”

According to Europol, in this case the agencies were able to seize the assets that would make a comeback possible for the malware’s operators.

“Back-up files were found on a few examined servers,” according to the alert. “With the help of such back-ups, the perpetrators can be operational again relatively quickly if their criminal infrastructure is taken down. The police hope that this operation will make a possible reconstruction of Emotet seriously difficult.”

Stefano De Blasi, threat researcher at Digital Shadows, told Threatpost that this latest Europol operation “holds the promise of having caused severe disruption to Emotet’s networks and command-and-control infrastructure.” He noted, “The ‘new and unique approach’ of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer down time for Emotet.”

Nonetheless, he agreed that it is unlikely that Emotet will cease to exist altogether after this operation.

“Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure – just like the TrickBot operators did.”

Constantly Evolving Emotet

Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, is a top threat, accounting for 30 percent of malware infections worldwide.

It continues to add functionality, such as the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device; the ability to spread via SMS messages; and the use of password-protected archive files to bypass email security gateways.

Palo Alto Networks also reported to CISA last year that researchers are now seeing instances of “thread jacking” – that is, intercepting an existing email chain via an infected host and simply replying with an attachment to deliver the malware to an unsuspecting recipient.

And the threat isn’t limited to desktop computers. Steve Banda, senior manager of security solutions at Lookout, told Threatpost Emotet has gone mobile in the past few months, too.

All of the activity led the Feds in the fall to issue a warning that state and local governments needed to fortify their systems against the trojan.

“Emotet’s relevance on the cyber-threat landscape cannot be overstated,” Digital Shadows’ De Blasi said. “Emotet operators frequently modified the techniques used by this botnet to obfuscate its activity and increase its distribution; social-engineering attacks such as spear-phishing emails containing malicious attachments have been one of the most successful tactics employed by Emotet.”

Possible NetWalker Disruption

Meanwhile, the NetWalker ransomware operation has been impacted by a law enforcement action.

The Dark Web site that the ransomware uses to publish the data it steals during its campaigns is displaying a  seizure notice, researchers reported on Twitter early Wednesday. A few hours later, the Justice Department confirmed the seizure (by Bulgarian national police) and also announced federal charges against a NetWalker suspect.


The notice says that the FBI and the national police force of Bulgaria have worked together to sinkhole the sites. The news drew plenty of attention: One person tweeted that she was being taken to a 404 page rather than the legal action notice when trying to access the site, due to demand.

The Feds also seized around a half-million dollars in cryptocurrency extorted by ransom efforts — though they said the suspect, Canadian national Sebastien Vachon-Desjardins, has actually banked closer to $27.6 million over the course of his NetWalker activities.

More about the NetWalker action can be found here.

This article was updated at 4 p.m. ET on Jan 27, 2020 to confirm the NetWalker enforcement action.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles