Emotet suffered a major setback nearly two weeks ago when an international law enforcement collaboration disrupted its infrastructure. But security researchers warn the malware and its operators may still prove to be a threat, and its takedown may give other attackers a chance to grow.
The takedown was no small task: Authorities including Europol, the FBI, and the UK's National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine, teamed up to bring down one of the world's most prolific and dangerous botnets.
As of December 2020, Emotet was the world's most popular malware, affecting 7% of organizations globally, Check Point research found. Its massive presence made it an appealing vector for attackers who wanted to deploy widespread malware and ransomware campaigns.
"Emotet, in a way, was by far the most successful botnet ever invented," says Lotem Finkelsteen, Check Point's head of threat intelligence. Several factors drove the botnet's growth: its tactics for infecting devices that enlarged its infection base; the attackers' ability to tailor phishing attacks to current events; and attackers' use of infected devices to send spam over a corporate network.
By the time law enforcement intervened, Emotet involved several hundred servers around the world. The botnet had infected more than 1.6 million machines and caused hundreds of millions of dollars in damage, the Department of Justice reported following its disruption.
Now, officials have gained control of Emotet infrastructure and taken it down from the inside. Infected devices have been redirected to law enforcement-controlled infrastructure, which will limit the spread of Emotet because attackers won't be able to sell access to affected computers.
"The current operations are mostly disrupted, the operations that were in the near future are, of course, disrupted. … In that sense, there's a massive win," says Stefano DiBlasi, threat researcher with Digital Shadows. Experts agree that Emotet's takedown is good news for the security community; however, they remain concerned about what could happen in the future.
This isn't the first time we've seen the disruption of a major botnet. A few months before the Emotet operation, security firms and financial groups collaborated to disrupt Trickbot. But the effects didn't last; shortly after, activity from the botnet proved its resistance to takedowns.
Emotet Down: What This Means for the Present
Could Emotet come back in the same way? Experts don't think so because this law enforcement operation was more comprehensive and involved more participation from global authorities. It's likely Emotet's disruption will have more of a long-term effect on the botnet's operations. Still, experts don't believe we've heard the last of these attackers, despite the loss of their network.
"We believe the actors themselves, the brains behind this operation, are still free, but their ability to control their systems, or to control their infection base, is limited to none," says Finkelsteen, who notes this large network of infected computers was "the asset of Emotet."
For now, the takedown has disrupted Emotet's global operations.
"I think in the short term, the fact that it was a loader is actually a force multiplier in terms of how hard of a hit they're getting," says Etay Maor, senior director of security strategy for Cato Networks. Emotet's operators can't sell access, and they can't deploy ransomware or malware. He hopes that in the near term, this contributes to a decline in ransomware and pay-per-infection.
For those who have been infected with Emotet, or were fearing infection, the takedown is good news. This operation also likely gave law enforcement a greater understanding of how Emotet works, which may contribute to long-lasting efforts to eliminate the botnet.
Unfortunately, Emotet's absence may also prove beneficial to other active threats, Finkelsteen points out. Attackers who bought access from Emotet's attackers will likely seek other botnets to achieve their goals. There is high demand for this kind of service.
"There is no vacuum in the cyber-threat landscape," he says. "Now that Trickbot cannot buy any infected computers or network from Emotet, it doesn't mean that they won't look for other botnets to do that."
Qbot and Dridex are two examples of known botnets with large infection bases that could meet the high demand. Qbot is very similar to Emotet, he continues; its attackers also capitalize on email trends to develop phishing attacks. Dridex is a powerful threat, and Finkelsteen notes it's already being used to collaborate with ransomware operators — a trend that could continue.
"Maybe more ransomware operators will join Dridex and try to replicate the success they had with Emotet," he says.
What This Means for the Future
While other attackers may try to fill the space left by Emotet's takedown, experts agree that we will eventually see its operators resurface — but their activity will likely take a different form.
"When it comes to the long term, we have to take into account various factors," says Digital Shadows' DiBlasi. "The first and most important one is the operators behind Emotet are still around." Officials made some arrests during their operation, but it's likely the vast majority of attackers remain free and have the skills to rebuild a threat.
Emotet's operators have the knowledge, experience, and techniques to become active again, as well as connections within the criminal community. The return won't be quick, says Finkelsteen, who thinks we may see their craft perhaps a year from now, and it won't look the same. It will take far longer to rebuild Emotet's infection base — if they're ever able to reach that level again.
"To be able to [grow] themselves as they did with Emotet, I think they would have to come up with something that evades managed security products; that doesn't make life so easy for the researchers," he adds. Emotet has to learn from this takedown in order to avoid a future one.
This means it's not likely to use off-the-shelf security tools and other known products in the long term, says DiBlasi. While "it's certainly possible," he agrees Emotet's operators will need to change their tactics if they want to make a comeback. Known attack tools may be detected, and while they can deploy malware in the short term, they won't help Emotet much in the long run.
This takedown is a win for law enforcement and the security community; however, it's critical to continue disrupting threats like these. Emotet isn't the last major threat businesses will face.
"I think the most important thing we saw is there is no vacuum," says Finkelsteen. "While it is a huge success for law enforcement, we need to pick the next target. We need to catch it before it's too big."