According to Interpol, law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.

EMOTET has been one of the most professional and long-lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities, such as data theft and extortion through ransomware.

"It is hard to overstate the significance of the achievement announced by Europol today in bringing the EMOTET botnet offline,” states Cath Goulding, CISO Nominet. “It will have immediate effect from a cyber security perspective, with EMOTET consistently ranking as one of the most persistent threats facing individuals and organisations. EMOTET was used as a springboard for a number of cybercriminal groups and attack techniques. The dismantling of its infrastructure will effectively kill a number of malicious operations, at least for the short term.”

However, even more significant than the immediate benefits is the precedent this sets for international collaboration in fighting back against widespread criminal organisations, she adds. “For years, cyber criminals have exploited the complexity of enforcing cyber security law across borders. This announcement signifies major progress in closing those gaps and holding cyber criminals to account. It is an achievement for all of the countries involved in this collaborative effort and establishes a process whereby international cybercrime can be thwarted."

Kelvin Murray, senior threat research analyst at Webroot, points out that, given the distributed nature of Emotet and the legal impunity that its masters have operated with for years, it is doubtful that this operation will end it entirely. “However, it will make this huge criminal enterprise more complicated and expensive to run and help strengthen the cross-border co-operation desperately needed in the fight against cybercrime.” The operation to put EMOTET out of action was the result of a collaborative effort between authorities in the UK, Netherlands, Germany, the United States, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust

“The evolution and volume of attack types emitting from botnets have been significant over recent years, and it's likely we'll continue to see others emerge in the future, due to the scale of infection they can achieve and the financial rewards gained from them,” adds Murray. “The UK's National Crime Agency reported seeing over $10.5M moved by the group behind Emotet over a two-year period on just one virtual currency platform. Investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure, highlighting the size and scale of the operation.”

To protect against future botnet threats, he concludes, “organisations should ensure they have strong, reputable cybersecurity software in place that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple types of attacks at different stages of the attack cycle. They should also run regular security awareness and phishing simulations to ensure end-users know how to spot suspicious messages and threats”.