International authorities disrupt 'world's most dangerous malware'

BY MAGGIE MILLER - 01/27/21 THE HILL

© iStockphoto


A team of international law enforcement and judicial groups on Wednesday announced they had disrupted infrastructure used by cyber criminals to spread what authorities described as the “world’s most dangerous malware” and attack organizations around the world.

The Emotet botnet, one of the most prolific malware viruses used by cyber criminals over the past decade, saw its infrastructure disrupted by a coalition of authorities in the United States, the Netherlands, Germany, the United Kingdom, France, Lithuania, Canada and Ukraine, with European Union agencies Europol and Eurojust providing coordination support.

As part of the effort, hundreds of servers around the world used to spread the botnet were taken over by law enforcement, with Europol noting in a statement that as part of this effort, “the infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.”


The botnet had been used by cyber criminals since as early as 2014 as a backdoor into computer systems, with the Emotet virus sold to other cyber criminals once it had established access to these networks, increasing cases of data theft and ransomware attacks.

“EMOTET was much more than just a malware,” Europol wrote. “What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.”

The malware was spread through Microsoft Word documents attached to emails, which were often presented as invoices or shipping notices, or documents having to do with the COVID-19 pandemic, according to Europol.

Significant data theft was also involved in use of the botnet, with Dutch authorities discovering a database that included stolen email addresses, usernames and passwords.

In the U.S., the FBI and the Department of Justice were involved in disrupting the botnet’s infrastructure, while in Ukraine, authorities shared a video of a raid carried out that involved the seizure of dozens of pieces of computer equipment used to support the botnet.

Sherrod DeGrippo, the senior director of Threat Research and Detection at cybersecurity group Proofpoint, described the Emotet botnet as “one of the world’s most disruptive threats.”

“What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans,” DeGrippo said in a statement provided to The Hill on Wednesday. “At this point, any mainstream banking trojan may lead to devastating ransomware attacks. Their campaign volume is typically large, as we usually observe hundreds of thousands of emails per day when Emotet is operating.”

“Considering this appears to be a law enforcement action on the backend infrastructure of the Emotet botnet, this really could be the end,” DeGrippo noted.