The end of Emotet

We've all pretty much gotten used to the fact that malware isn’t likely to go away any time soon. Malware only usually makes the headlines these days if it causes substantial damage or is particularly severe. During the coronavirus pandemic, we’ve mostly heard about malware attacks that either targeted hospitals or made ludicrous ransom demands. Our tendency to overlook the vast destructive potential of seasoned malware is made painfully obvious by incidents such as the downfall of the malware dropper Emotet at the end of january. Emotet has been on the block for several years – it was first reported in the wild in 2014. Only now, seven years later, have the police managed to shut down most of Emotet's command and control network in an international operation. To date, the damage caused by Emotet has been estimated at an incredible 2.5 billion US dollars.

There was nothing particularly sophisticated or threatening about Emotet apart from its ability to adapt. Emotet started out as a Trojan designed to intercept online banking data. It quickly evolved from a one-trick pony to a criminal infrastructure – the Emotet operators rented infected computers to other cybercriminals for distributing their own malware. Emotet bots were also rented for attacks and other criminal tasks that needed a large number of systems. Criminals have use Emotet botnets several times to distribute malware like TrickBot and Ryuk on a massive scale. One of the most famous victims was the German IT publisher Heise. But the Berlin Court of Appeal and the government of Lithuania also fell victim to a Ryuk attack with the help of Emotet. Emotet has been expanded tirelessly, which has made it just as annoying as it is persistent. Recently a Wi-Fi module was added that could infect computers added to the same Wi-Fi network.

But now it's game over for Emotet, at least for a while. During Operation Ladybird at the end of January, police seized around 700 servers and made a significant number of arrests. In Ukraine in particular, local authorities searched a large number of properties with resounding success: Currently, the  Feodo Tracker operated by Abuse.ch only shows about 20 Emotet servers online and other malware trackers show even less active systems. Dismantling servers and arresting criminals is one thing, but what happens to the – mostly unwitting – victims whose computers are still infected? In the first instance, nothing will happen as Emotet's command and control servers are now under the control of law enforcement agencies. No new commands will be given to the software and the affected users will not notice that the Emotet is under new management. At the end of April, after the forensic investigations have been completed by the authorities, an update will be distributed via the Emotet C&C network, which triggers the malware to self-destruct and remove all traces of the attack. The update terminates the Emotet service and removes the Autorun entry in the registry. Security analyst milkream has tweeted that Emotet is scheduled to be shut down on April 25, 2021 at 12:00pm.

Anyone who wants to see for themselves whether they belong to the unwitting victims can check with the Emotet Email Address Checker. The Dutch page contains a link in the lower part where you can enter your e-mail address. Infected users will be informed by email shortly afterwards. If your computer is infected, it’s time to get to work with a current malware removal tool or ask someone who knows how to do it. Even if you’ve got off lightly this time, it’s also worth thinking about how you can avoid malware in future as it's very likely that a successor to Emotet is waiting in the wings. As always, an active anti-malware program and common sense are the best defense mechanisms against Emotet and other malware. If you don’t click, don’t open and don’t believe anything in an email without thinking first – 99% of the usual spray-and-pray campaigns won’t be a threat anymore. Anyone who has fallen victim to one of the few targeted attacks knows for themselves that they must be vigilant in their digital communication. But at least no one has to be afraid of Emotet in the near future. And at least that’s some good news for 2021.