Police agencies around the world including the RCMP and the FBI say they have crippled one of the worst malware distribution networks by seizing the infrastructure behind the Emotet botnet.
In addition, U.S. authorities say the distribution of the Netwalker ransomware has also been disrupted. That includes charges against a Canadian and the seizing of approximately US$454,530 in cryptocurrency from ransom payments.
According to an indictment unsealed today in Florida, Sebastien Vachon-Desjardins of Gatineau, Que., is alleged to have obtained at least over US$27.6 million as a result of the offenses listed in the indictment.
Emotet control servers in Canada
In a statement Wednesday morning the RCMP said 13 of the 50 command and control servers behind Emotet were located in Canada.
The week-long operation involved authorities in the Netherlands, Germany, the United Kingdom, France, Lithuania, and Ukraine.
UPDATE: The ZDNet news service reports that law enforcement officials in the Netherlands hope to deliver an update through captured Emotet servers that on March 25th will erase any malware delivered through the botnet.
It was later clarified by Malwarebytes that the removal code will execute on April 25th.
According to the Europol police co-operative, law enforcement and judicial authorities gained control of the Emotet infrastructure and “took it down from the inside” using a “unique and new approach.”
“Emotet has been one of the most professional and long-lasting cybercrime services out there,” the Europol police co-operative said in a statement. “First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorized access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.”
According to the RCMP, Emotet reportedly infected more than 1.7 million computers in 226 countries, including 6,000 in Canada. It estimated the malware is the foundation of 60 per cent of cyberattacks and served as a digital precursor to a wide range of other extremely damaging malware, making it one of the most significant current digital threats.
Emotet was a polymorphic threat, meaning it changed its code each time it was called up.
Netwalker goes down, too
The Netwalker ransomware group has also been hit by police. According to security researchers online, anyone going to the Netwalker web site, where it lists its victims, is greeted with a sign that says, “This hidden site has been seized by the Federal Bureau of Investigation. This action has been taken in co-ordination with the United States Attorney’s office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance from the Bulgarian National Investigation Service and the General Directorate Combating Organized Crime.”
In a Jan. 27 statement, the U.S. Justice Department confirmed the seizure and said Netwalker often attacked the healthcare sector to take advantage of COVID-19 worries.
“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said the acting Assistant Attorney General Nicholas McQuaid of the Justice Department’s Criminal Division. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”
Netwalker is a ransomware-as-a-service operation that, in addition to installing ransomware, enables the theft of data to put more pressure on victims to pay up. According to cybersecurity vendor Varonis, the group (also called Mailto by some researchers) has cashed in over US$30 million in ransoms since their first significant attacks in March 2020.
Varonis believes Netwalker was created by a group known as “Circus Spider” in 2019. Circus Spider is one of the newer members of the “Mummy Spider” cybercriminal group. At first, it acted as most ransomware strains, establishing an initial foothold through phishing emails, followed by exfiltrating and encrypting sensitive data to hold hostage for a large ransom. But then, the developers followed the Maze group model and expand to ransomware-as-a-service, allowing “affiliates” to join its network.
Affiliates are chosen for their experience in networks, ability to speak Russian (according to Varonis the developers don’t accept English speakers), and proof of experience including their ability to hack into quality targets.
Among the victims claimed by Netwalker were the Ontario College of Nurses, the Crozer-Keystone Health System in the U.S., the University of California at San Francisco and the Champaign-Urbana Public Health District in Illinois.
The Emotet group “managed to take email as an attack vector to the next level,” said Europol. “Through a fully automated process, Emotet malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.”
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself, said Europol. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.
“Emotet was much more than just a malware,” the Europol statement added. “What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer. This type of attack is called a ‘loader’ operation, and Emotet is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.
“Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.”
As part of the operation, Dutch police seized a list of compromised email addresses and passwords Emotet was using to spread malware. You can check if your email is on the list here. Enter your email addresses, and if you get a message back then it has been compromised.
Security experts aren’t sure if the action against Emotet will end or merely slow the activities of its developers. “While this is a great victory for stopping ransomware campaigns in the short-term, I don’t think this will quell much of the ransomware threat in the long term,” said Kelvin Murray, senior threat researcher at Webroot. “These hackers will be back after they lay low for a while and vacation with their extensive “earnings”, and I anticipate with a botnet that has even more improvements over Emotet.”
Costin Raiu, director of Kaspersky’s global research and analysis team, said that since Emotet were renting their infrastructure to other cybercriminal groups taking down its servers should also impact even other cybercriminal groups’ ability to maintain and grow their botnets. “With Emotet out of the cybercriminal ecosystem,” he added, “it remains to be seen if their place will be taken by another group, or if they will be able to orchestrate a comeback, be it either as Emotet or perhaps as a merger with another group and continue from there.”
