Skip to content ↓ | Skip to navigation ↓

What’s happened?

Law enforcement agencies across the globe say that they have dealt a blow against Emotet, described by Interpol as “the world’s most dangerous malware”, by taking control of its infrastructure.

Police have dubbed their action against Emotet “Operation LadyBird.”

What is Emotet?

Emotet is an extremely advanced and pernicious family of rapidly-spreading malware, with the capability of dropping other malware onto users’ computers.

Emotet first caused problems in 2014 as a banking Trojan horse, but has evolved over the intervening years, updating itself multiple times a day, as it gets ever more sophisticated in its attempt to spread aggressively and bypass defences.

How does a computer become infected with Emotet?

Typically infections are spread via poisoned email attachments. For instance, last February boobytrapped Word documents were sent out pretending to be related to the Coronavirus pandemic.

Victims are lured into opening the Word document, and then duped into enabling macros which will download the Emotet malware and then install further malware onto infected PCs, and attempt to spread across your network.

Email attachment malware. That doesn’t sound that earth-shattering

It may not be that novel, but it works very well. And Emotet did it at scale – with often half a million Emotet-infected emails being sent each day.

And email attachment malware is not the only trick up Emotet’s sleeve.

Last year, for instance, security researchers discovered a previously-unknown capability within Emotet to hunt for Wi-Fi networks in its vicinity and connect to them (attempting to break passwords if necessary), and then hunt for exposed computers on the same network to infect.

So once it has infected your network, what does it do?

Hackers now have remote access to your infected devices, which means they can not only steal data from you and spy on your activities, but also plant other malware such as ransomware.

Over time the highly organised gang behind Emotet began to rent out access to their botnet of infected PCs to other cybercriminals, such as those operating the Ryuk and Trickbot malware.

OK, so it’s nasty. So what have the police done about it?

Law enforcement agencies have been able to take down Emotet’s infrastructure from the inside, seizing control of the many command-and-control servers located around the world that sent instructions to infected PCs and assisted other cybercriminal gangs.

This sounds like a major victory for cybercrime-fighting agencies.

Yes, Emotet is estimated to be involved in some 30% of all malware attacks. Anything which disrupts its activity is a significant achievement which should be welcomed by all computer users.

Furthermore, as ZDNet reports, law enforcement agencies in the Netherlands are planning to push out an actual update to Emotet designed to remove it from all infected computers at mid-day on March 25, 2021.

Why wait until March 25?

Removing an Emotet infection without the knowledge of the victim has one significant drawback – the user may not ever know that their computers were once compromised. The very existence of Emotet, if discovered by a company or home user, can act as an alarm that other malware may have been implanted on their computers by different gangs or if a data breach occurred.

After March 25, with Emotet gone, it will be more difficult to investigate what may have happened. So check your systems now if you are concerned.

What else should I be doing about this?

It should go without saying that you should keep your anti-virus software and other security defences updated, and your PCs patched. And always use strong, unique, hard-to-crack passwords. In addition, always be wary of unsolicited email attachments, and never enable macros in a Word document unless you are absolutely convinced it is legitimate.

Further to that, however, police in the Netherlands say that they seized a database of some 600,000 email addresses and passwords from one of Emotet’s servers. If you want to check if your details might have been compromised you can visit a page on the Dutch National Police website the authorities have created which will notify you if you are at risk.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.