Emotet, the notorious email-based Windows malware responsible for botnet span campaigns and ransomware attacks over the last decade, has been dismantled by law enforcement agencies across the world.

The takedown of the botnet titled “Operation Ladybird”, was a joint effort involving as many as 8 different countries including the U.S., U.K., France, the Netherlands, Germany, Canada, Lithuania and Ukraine. Officials from these countries were able to take control of the servers used to run and control the malware.

“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” Europol said. “What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomware, onto a victim’s computer.”

Emotet was first identified in 2014 as a credential stealer and banking Trojan. Since then, it can also serve as malware that can steal information, act as a downloader, and also a spambot.  The malware is constantly being developed, and updates regularly to improve its stealthiness, persistence and spying capabilities on nearby Wi-Fi networks.

In 2020, the malware was linked to botnet-driven spam campaigns that were capable to deliver TrickBot or Ryuk ransomware.

“The Emotet group managed to take e-mail as an attack vector to a next level,” Europol said.

According to the U.K.’s National Crime Agency (NCA), it took nearly two years to map the infrastructure. There were multiple properties in Kharkiv, Ukraine that were raided to confiscate computer equipment used by hackers.

Two people have been arrested by the Ukranian Cyberpolice Department who were involved in Emotet’s infrastructure maintenance. The two, if found guilty, could face 12 years in prison.

“Analysis of accounts used by the group behind Emotet showed $10.5 million being moved over a two-year period on just one Virtual Currency platform. Almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.” The NCA said.

Emotet is said to have cost about $2.5 billion in damages globally, according to Ukrainian authorities.

At least 700 servers operating Emotet across the world have been taken down. Dutch National Police have released a tool that can check for a potential compromise based on 600,000 email addresses, usernames and passwords that were identified during the investigation.

Dutch police have deployed a software update that will neutralize Emotet.

“All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined,” the agency said.

According to tweet posted by “milkream”, a security researcher, Emotet is being wiped from all compromised machines on April 25, 2021 at 12:00pm local time.

Although Emotet appears to have been dismantled, Abuse.ch’s Feodo Tracker shows that there are still at least 20 Emotet servers that are still online.

“A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like Emotet,” Europol warned.

“Users should carefully check their e-mail and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and e-mails that implore a sense of urgency should be avoided at all costs.”

Story via The Hacker News