Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/8/2021
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Emotet Takedown: Short-Term Celebration, Long-Term Concerns

Security researchers examine how and when Emotet's operators may resurface, and the threats that could evolve in the meantime.

Emotet suffered a major setback nearly two weeks ago when an international law enforcement collaboration disrupted its infrastructure. But security researchers warn the malware and its operators may still prove to be a threat, and its takedown may give other attackers a chance to grow.

Related Content:

Emotet 101: How the Ransomware Works -- and Why It's So Darn Effective

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: What's the Difference Between 'Observability' and 'Visibility' in Security?

The takedown was no small task: Authorities including Europol, the FBI, and the UK's National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine, teamed up to bring down one of the world's most prolific and dangerous botnets.

As of December 2020, Emotet was the world's most popular malware, affecting 7% of organizations globally, Check Point research found. Its massive presence made it an appealing vector for attackers who wanted to deploy widespread malware and ransomware campaigns.

"Emotet, in a way, was by far the most successful botnet ever invented," says Lotem Finkelsteen, Check Point's head of threat intelligence. Several factors drove the botnet's growth: its tactics for infecting devices that enlarged its infection base; the attackers' ability to tailor phishing attacks to current events; and attackers' use of infected devices to send spam over a corporate network.

By the time law enforcement intervened, Emotet involved several hundred servers around the world. The botnet had infected more than 1.6 million machines and caused hundreds of millions of dollars in damage, the Department of Justice reported following its disruption.

Now, officials have gained control of Emotet infrastructure and taken it down from the inside. Infected devices have been redirected to law enforcement-controlled infrastructure, which will limit the spread of Emotet because attackers won't be able to sell access to affected computers.

"The current operations are mostly disrupted, the operations that were in the near future are, of course, disrupted. … In that sense, there's a massive win," says Stefano DiBlasi, threat researcher with Digital Shadows. Experts agree that Emotet's takedown is good news for the security community; however, they remain concerned about what could happen in the future.

This isn't the first time we've seen the disruption of a major botnet. A few months before the Emotet operation, security firms and financial groups collaborated to disrupt Trickbot. But the effects didn't last; shortly after, activity from the botnet proved its resistance to takedowns.

Emotet Down: What This Means for the Present

Could Emotet come back in the same way? Experts don't think so because this law enforcement operation was more comprehensive and involved more participation from global authorities. It's likely Emotet's disruption will have more of a long-term effect on the botnet's operations. Still, experts don't believe we've heard the last of these attackers, despite the loss of their network.

"We believe the actors themselves, the brains behind this operation, are still free, but their ability to control their systems, or to control their infection base, is limited to none," says Finkelsteen, who notes this large network of infected computers was "the asset of Emotet."

For now, the takedown has disrupted Emotet's global operations.

"I think in the short term, the fact that it was a loader is actually a force multiplier in terms of how hard of a hit they're getting," says Etay Maor, senior director of security strategy for Cato Networks. Emotet's operators can't sell access, and they can't deploy ransomware or malware. He hopes that in the near term, this contributes to a decline in ransomware and pay-per-infection.

For those who have been infected with Emotet, or were fearing infection, the takedown is good news. This operation also likely gave law enforcement a greater understanding of how Emotet works, which may contribute to long-lasting efforts to eliminate the botnet.

Unfortunately, Emotet's absence may also prove beneficial to other active threats, Finkelsteen points out. Attackers who bought access from Emotet's attackers will likely seek other botnets to achieve their goals. There is high demand for this kind of service.

"There is no vacuum in the cyber-threat landscape," he says. "Now that Trickbot cannot buy any infected computers or network from Emotet, it doesn't mean that they won't look for other botnets to do that."

Qbot and Dridex are two examples of known botnets with large infection bases that could meet the high demand. Qbot is very similar to Emotet, he continues; its attackers also capitalize on email trends to develop phishing attacks. Dridex is a powerful threat, and Finkelsteen notes it's already being used to collaborate with ransomware operators — a trend that could continue.

"Maybe more ransomware operators will join Dridex and try to replicate the success they had with Emotet," he says.

What This Means for the Future

While other attackers may try to fill the space left by Emotet's takedown, experts agree that we will eventually see its operators resurface — but their activity will likely take a different form.

"When it comes to the long term, we have to take into account various factors," says Digital Shadows' DiBlasi. "The first and most important one is the operators behind Emotet are still around." Officials made some arrests during their operation, but it's likely the vast majority of attackers remain free and have the skills to rebuild a threat.

Emotet's operators have the knowledge, experience, and techniques to become active again, as well as connections within the criminal community. The return won't be quick, says Finkelsteen, who thinks we may see their craft perhaps a year from now, and it won't look the same. It will take far longer to rebuild Emotet's infection base — if they're ever able to reach that level again.

"To be able to [grow] themselves as they did with Emotet, I think they would have to come up with something that evades managed security products; that doesn't make life so easy for the researchers," he adds. Emotet has to learn from this takedown in order to avoid a future one.

This means it's not likely to use off-the-shelf security tools and other known products in the long term, says DiBlasi. While "it's certainly possible," he agrees Emotet's operators will need to change their tactics if they want to make a comeback. Known attack tools may be detected, and while they can deploy malware in the short term, they won't help Emotet much in the long run.

This takedown is a win for law enforcement and the security community; however, it's critical to continue disrupting threats like these. Emotet isn't the last major threat businesses will face.

"I think the most important thing we saw is there is no vacuum," says Finkelsteen. "While it is a huge success for law enforcement, we need to pick the next target. We need to catch it before it's too big." 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...