Malware-as-a-Service trailblazer finally zapped out of existence

Security pros draw lessons Emotet clean-up

The FBI and German police orchestrated the wholesale removal of remnants of the Emotet malware strain from previously infected Windows systems on Sunday (April 25).

The action was made possible by the seizure of servers in January and arrest of two Ukrainian residents suspected of orchestrating Emotet, the world’s largest malware-spewing botnet at the time of its takedown.

Soon after the seizure a kill switch file was distributed to infected systems. This file, which contained a clean-up routine that wiped Emotet infection from compromised devices, was set by a timer that activated on Sunday.

From banking trojan to malware dropper

Emotet began as a banking trojan at the time it was first detected in 2014. From 2016 onwards, the malware was updated and reconfigured to act as a conduit – or ‘dropper’ – to push other strains of malware onto compromised systems.

According to the US Department of Justice, machines affected by Emotet worldwide number just over 1.6 million.

The latest intervention follows the FBI’s proactive response to the Exchange Hafnium attacks, where malicious web shells were replaced.

Catch up on the latest cybercrime news

There are other precedents for this kind of law enforcement intervention, according to threat intel experts.

Sean Nikkel, senior threat intelligence analyst at Digital Shadows, commented: “The most recent precedent for this is the action taken by the FBI to address the malicious web shells emplaced as a result of the Microsoft Exchange vulnerabilities. Reporting did not appear to indicate an unexpected impact as a result of FBI actions.”

Nikkel continued: “Prior to this, we’ve seen law enforcement and security firms sinkhole or take down various malicious botnets and malware, from the notorious WannaCry and GameOver Zeus to crypto-mining operations like Retadup.”


Paul Robichaux, senior director of product management at Quest, said both Exchange Hafnium and Emotet clean-ups were authorized by the application of a recently granted legal authority by federal authorities.

DON’T FORGET TO READ Mining technology company Gyrodata hit by ransomware attack

“The FBI already had the legal authority to search for and seize evidence of federal crimes, and their InfraGard program helps critical infrastructure providers secure their systems, so its recent responses are news mostly because they are a new application of that authority,” Robichaux explained.

Law enforcement stepping in to clean up after botnet takedowns is justified because “leaving individual companies to clean them up themselves is a legitimate national security problem”, according to Robichaux.

Rise and fall

Enterprises need to learn lessons from how Emotet got onto systems in the first place if we’re to stand any chance of preventing similar infestations in future, according to Digital Shadows, which has put together a blog post chronicling the rise and fall of the botnet.

“Emotet spread through phishing and spam containing malicious links and attachments,” Nikkel told The Daily Swig.

“Enterprises should employ active defences against phishing and spam, many of which can scan and sandbox attachments, block known bad senders, or look for other indicators to stop delivery to users.”

RECOMMENDED ‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market