The takedown of Emotet in a global sting operation on 27 January brought to an end – for now – one of the most active and dangerous cyber threats worldwide. It is being rightly celebrated across the security community as a shining example of the power of international collaboration to target malicious actors.
Emotet began life as a banking trojan in 2014 but has since evolved into a highly sophisticated botnet used as a malware and ransomware delivery mechanism. It has come to form a key “cog” in the growing cyber crime-as-a-service racket, effectively renting itself out to other cyber criminals, selling them access to compromised systems to steal and ransom data, and so on.
Its popularity and success hinged on its sheer effectiveness at getting people to click on its phishing emails and begin the infection process, according to Webroot analyst Tyler Moffitt, and this fact makes its takedown a highly significant event, he added.
“Ransomware is always the second- or third-stage payload after Emotet has gained a foothold in the environment, so this takedown is a huge blow to ransomware campaigns,” said Moffitt. “We’ve already seen ransomware authors run their own malspam botnets, but they just weren’t as effective.”
Kimberly Goody, Mandiant’s senior manager of cyber crime analysis, added: “Between October 2020 and January 2021, we observed Emotet distribute multiple malware variants that have been used to enable ransomware operations, so it is plausible that this Emotet disruption may reduce the immediate victim pool for ransomware deployment.”
Nominet CISO Cath Goulding agreed that it was hard to overstate the significance of Emotet going offline. “It will have immediate effect from a cyber security perspective, with Emotet consistently ranking as one of the most persistent threats facing individuals and organisations,” she said. “Emotet was used as a springboard for a number of cyber criminal groups and attack techniques. The dismantling of its infrastructure will effectively kill a number of malicious operations, at least for the short term.”
Disaster recovery?
The key words here are “short term” because, as we have seen before, taking key infrastructure offline does not necessarily mean that Emotet is gone for good, and it would be unwise to drop your guard, even for a second.
So while Sherrod de Grippo, senior director of threat research and detection at Proofpoint, was among those celebrating Emotet’s demise, she said that at this stage it was hard to know what the end result of the action would be.
“Law enforcement events can have, and previously have had, variable impact on disrupting the technology and operators of these large-scale botnets,” said de Grippo.
“Considering this appears to be a law enforcement action on the back-end infrastructure of the Emotet botnet, this really could be the end. Further to this, if the threat actors behind the botnet [TA542] were apprehended or even disrupted in some way, that could have a significant impact on the potential of future operations.”
Webroot’s Moffitt said that while the disruption of Emotet was a hammer blow against ransomware campaigns, in the long run it changes little. “These hackers will be back after they lie low for a while and vacation with their extensive earnings, and I anticipate with a botnet that has even more improvements over Emotet,” he said.
Mandiant’s Goody added: “Mandiant has observed threat actors rebuild their botnets following other takedown or disruption efforts, although the likelihood of this scenario hinges on the significance of the individuals who have been apprehended.”
She said it was likely that Emotet’s ride-or-die partners might come to the rescue in some form.
“Notably, the actors behind Emotet have existing partnerships with other notable malware operations, including Trickbot, Qakbot and Silentnight,” said Goody. “In addition to distributing these families as secondary payloads, we have occasionally observed Emotet being distributed by these families in the past. These existing partnerships and renewed spamming could be leveraged to rebuild the botnet.”
Chris Morales, head of security analytics at Vectra, went so far as to compare the takedown of Emotet to the disruption of a major Amazon Web Services or Microsoft Azure datacentre. “The immediate impact would be felt, but eventually organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed,” he said. “This could take some time, depending on the capabilities and funding of the organisations leveraging that infrastructure.”
Score one for collaboration
Despite the undeniable fact that fighting cyber crime is rather like playing a rigged sideshow game at a fairground, there are lessons in Emotet’s takedown that perhaps makes it a little more likely that (to continue the analogy) someone might win the giant plush Pikachu in the future.
“The good news is, I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats,” said Vectra’s Morales. “This is a good start for what I hope will be a long and ongoing collaboration in targeting these types of organisation that can operate beyond any specific country’s borders.”
Nominet’s Goulding added: “For years, cyber criminals have exploited the complexity of enforcing cyber security law across borders. This announcement signifies major progress in closing those gaps and holding cyber criminals to account. It is an achievement for all the countries involved in this collaborative effort and establishes a process whereby international cyber crime can be thwarted.”
F-Secure managing consultant Jordan LaRose said: “Law enforcement agencies from across the globe collaborating on something like this is not only a victory in that it has likely crippled one of the most prolific droppers in recent memory, this is also a victory in international collaboration to combat cyber threats that target organisations worldwide.
“One of the most difficult aspects of incident response, and combating malware at large, is taking action against attackers who are able to act anonymously and largely without penalty, due to the diplomatic implications of retaliation against them. This is never truer than with a botnet like Emotet that has infrastructure distributed among countries all over the world.
“This investigation should serve as a warning to all other malware groups that distributed attack strategies won’t protect them for ever.”
Vigilance is of the essence
While security professionals can afford themselves a brief moment of rejoicing, it always bears repeating that the best offence against a threat like Emotet is a solid defence.
Kelvin Murray, senior threat research analyst at Webroot, said: “To protect against future botnet threats, organisations should ensure they have strong, reputable cyber security software in place that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple types of attacks at different stages of the attack cycle.
“They should also run regular security awareness and phishing simulations to ensure end-users know how to spot suspicious messages and threats.”
Cybereason CSO Sam Curry added: “From a defender’s standpoint, we will never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts. We need to arm security analysts with tools to make the connection between disparate indicators of compromise – and, more importantly, the more subtle indicators of behaviour associated with an attack – so they can quickly detect and respond to malicious operations with surgical precision.
“That is the only way to reverse the adversary advantage by detecting earlier and remediating faster; thinking, adapting and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach.”