Cyber cops team up to disrupt top malware-seeding network

European and North American cyber cops have joined forces to disrupt what may be the world’s largest network for seeding malware infections, striking a major blow against criminal gangs that have been using it for years to install ransomware in extortion schemes, steal data and engage in financial theft

Via AP news wire
Wednesday 27 January 2021 18:37
Netherlands Malware
Netherlands Malware

European and North American cyber cops have joined forces to disrupt what may be the world's largest network for seeding malware infections, striking a major blow against criminal gangs that have been using it for years to install ransomware in extortion schemes, steal data and engage in financial theft.

European Union police and the judicial agencies Europol and Eurojust said Wednesday that investigators took control of the infrastructure behind the botnet known as Emotet. A botnet is a network of hijacked computers, and this one has effectively served as a primary door-opener for cybercriminals since 2014.

“This is a really big deal Emotet was one of the largest, if not the largest, botnets delivering a wide variety of malware. Their botnet consisted of hundreds of thousands compromised hosts which were used to send more than 10 million spam and phishing emails a week,” said Allan Liska, an analyst with Recorded Future.

The Emotet model of recent years was “a game changer for ransomware gangs who otherwise rely on other access methods,” said Jake Williams, president of Rendition Infosec, another cybersecurity firm.

Emotet has allowed ransomware gangs to outsource initial access, and focus their efforts instead on a cybercrime variety that has crippled Western government, healthcare and educational networks by scrambling their data and only providing a decoding software key after they have paid up. Those who don't risk having data exfiltrated by the hackers exposed publicly.

Williams said via text message that although someone will eventually fill the gap “there's no question that this will hurt (ransomware gangs) and help defenders in the short/mid term.”

Authorities in the Netherlands, Germany, the United States, the U.K., France, Lithuania, Canada and Ukraine took part in the international operation coordinated by the two Hague-based agencies.

Dutch prosecutors said the malware, run out of eastern Europe by a Russian-speaking organization, was first discovered in 2014 and “evolved into the go-to solution for cybercriminals over the years," responsible for hundreds of millions of dollars in losses beginning with financial theft through a banking trojan.

They said two of the main servers for the infrastructure were based in the Netherlands and a third in another undisclosed country.

The Emotet botnet was effectively used to manage infections of victims and provide a distributed bulwark against takedown attempts by authorities. In the disruption by law enforcement, its command-and-control infrastructure was routed to servers controlled by law enforcement, cutting off criminal tenants of Emotet from quarry they have infected.

Europol said law enforcement agencies teamed up to take down the criminal infrastructure from the inside.

“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure,” the agency said. “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

The operation recalled one carried out by Microsoft late last year against a different botnet known as Trickbot — which was pushed out using Emotet and used in ransomware attacks. The U.S. National Security Agency was also reported to have tried to take down Trickbot.

Costin Raiu, research director at the cybersecurity firm Kaspersky, said the Emotet takedown “should impact other cybercriminal groups' ability to maintain and grow their botnets. It remains to be seen if they will be able to stage a comeback, be it either as Emotet, or perhaps merge with another group and continue from there.”

Emotet's “door-opening” malicious software was automatically delivered to computers in infected email attachments containing Word documents.

“A variety of different lures were used to trick unsuspecting users into opening these malicious attachments,” Dutch prosecutors said in a statement. “In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.”

The operation was not the first time that cybercrime fighters have infiltrated illicit computer operations. In 2017, police shut down the world’s leading “darknet” marketplace — then Dutch police quietly seized a second bazaar to amass intelligence on illicit drug merchants and buyers.

Bajak reported from Boston.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in