In November, 10 months after an international task force shut down Emotet's servers and infrastructure, the botnet came back online.
The new Emotet, which spread malware in a spurt of Spanish-language messages in the latter half of the month, consisted of two botnets using different encryption for communication and additional commands than the previous version, which was taken down in January. At the time of the takedown, the threat had accounted for 7% of attacks on organizations worldwide and often delivered malware or ransomware to the 1.6 million machines compromised by attackers.
Emotet's revival highlightshow many botnet takedowns lack permanence. Along with the resuscitation of TrickBot in 2020, the resurgence of Emotet demonstrates that the industry and government agencies should take a hard look at whether the tactic needs to be revisited or revised, says David Monnier, a fellow with threat intelligence firm Team Cymru.
"It is an incredibly valid question that we should be asking, as we do with anything: If you are not getting the results you want, should [you] be doing something different instead?" he says. "Are we getting better or is this [the movie] 'Groundhog Day'?"
More than a decade ago, Microsoft pioneered using legal measures to allow private companies to take down botnets. More than a score of takedowns later, multi-organizational efforts — which now often include law enforcement and private-industry partners — often only temporarily disrupt botnet infrastructures. Trickbot's operators, for example, started reviving the network within a few weeks of the initial takedown.
In Emotet's case, the takedown led to a 10-month hiatus, during which the botnet's operators appear to have made changes, such as moving away from the increasing use of cybercriminal services for parts of the infection and payload chain, says Scott Scheferman, a principal cyber strategist at Eclypsium, a firmware- and hardware-security firm.
"These actors have a lot of resilience and a ton of money. As a result, they can adapt easily," he says. "They are going back to the triad of distribution, a Trickbot loader, and ransomware drop. They are pulling back into themselves centrally, rather than using everything as a service."
The fundamental problem for defenders is that while infrastructure can be disrupted, the people behind the attacks — often protected by complicit nations with liberal cybercrime laws — are unfettered and remain able to work to rebuild their malicious distribution networks. While the United States' and other nations' focus on more aggressive measures to curtail cybercrime, in general, and ransomware, in particular, will help, cybercrime is too profitable for many groups to pare back their operations.
"A lot of these sophisticated actors that have become prolific — the Emotet groups and REvil groups — they are really operating out of places where the West can't touch them," says Michael DeBolt, chief intelligence officer of threat-intelligence firm Intel 471, adding that such downsides do not make the activity not worthwhile. "From a higher level, though, obviously disruption efforts against sophisticated groups should be the target of not just law enforcement, but also of private-industry groups."
In addition to taking down the infrastructure of specific actors, focusing on identifying and disrupting critical criminal infrastructure — such as bulletproof hosting — could also result in more long-term benefits, he adds. In 2011, for example, researchers discovered 95% of the sales revenues of spam-advertised products were handled by about a dozen banks, which allowed financial authorities to disrupt a wide swath of criminal groups.
Defenders and government officials need to identify similar keystones in the current cybercrime landscape.
"What this comes down to is really identifying pain points that can increase the time, money, and effort that the cybercriminals need to do business," DeBolt says. "If we identify a server or back-end infrastructure and we take that down, we see, great, it does not completely cut the head off the snake, but it causes them to back off a little bit and rejig, and that is time, money, and effort for them."
Some takedown efforts have led to success. The takedown of the Necurs botnet — which acted as a distribution platform for other malware, such as GameOver Zeus and Trickbot — appears to have largely worked. The botnet, which had gone silent and previously returned, largely disappeared in March 2020 following a takedown spearheaded by Microsoft and Bitsight.
Still, many attackers learn from such actions and return, improving their tactics, techniques, and procedures (TTPs). Fortunately, defenders and law enforcement are also getting more efficient in takedown efforts, says Team Cymru's Monnier. While the balance currently seems to favor attackers, if disruption efforts take less time for defenders to accomplish and more time and effort for attackers to recover from, taking down servers and infrastructure — while temporary — will be worth it, he says.
There isn't necessarily a silver bullet or a single event that can disrupt these efforts, but consistent effort will keep up the pressure on groups and make cybercrime less profitable, the former US Marine says.
"We have a saying in the Marine Corps: You have a choice between the pain of discipline or the pain of regret," Monnier says. "We have to take the same approach, the same tenacity. As long as we make it harder for them, we have to do so."