Original article: Erin Johnson
2021 got off to a fantastic start for the cybersecurity community with the news that the infamous botnet Emotet had been brought down in a coordinated global operation, “Operation Ladybird.”
As the first security vendor to detect and profile the Trojan all the way back in 2014, we’re particularly delighted to be seeing the back of it. This takedown sends a clear message that cybercrime has consequences, which we hope will make a positive long-term impact. At Trend Micro, we’re determined to do our part supporting the work of law enforcement wherever we can.
We’re now asking the question: Can we be sure that this is the last we’ll hear from those behind the long-running campaign?
The evolution of Emotet
To get a better idea for what to look for if the actors return to crime, it makes sense to look back at the origins of Emotet.
Emotet first appeared in 2014 when we discovered what was then a relatively straightforward banking Trojan spread by phishing emails. Over the years, it evolved multiple times into a Malware-as-a-Service botnet, offering access to compromised computers for those willing to pay. Unfortunately, there were many, including ransomware groups such as Ryuk and the data-stealing trojan, Trickbot. These quickly made the most of the initial access provided by Emotet, picking and choosing which victims they would deploy additional payloads to.
The success of Emotet highlighted two things:
Emotet’s ability to spread laterally through devices on a network also made it among the most resilient pieces of malware seen in recent times, as Europol argued.
In fact, it became one of the biggest threats we’ve monitored over the past few years – consistently in the top 10 campaigns detected – and more than 1.6 million victim machines, according to the DoJ.
Everyone makes mistakes
We’re pleased to report that since the takedown operation in January, there has been no Emotet activity. We still observed some detections, since it is nearly impossible to erase all traces of infection immediately upon takedown. As residual infections continue to be cleaned up, we’ll see a gradual elimination of the threat, much like the impact of various restrictions or vaccinations that curb the COVID-19 pandemic.
But what of the future? This is where things are less certain.
It’s still not clear which members of the gang were taken into custody and therefore what resources are still available to restart operations. Quite probably, lessons will have been learned by the Emotet leaders — it’s unlikely they’ll repeat the same mistakes that gave law enforcement the ability to seize control of their infrastructure
The actors behind Emotet are well-connected and well-funded. We predict that any senior members of the group still at large will seek to partner with another trusted actor – possibly Trickbot – to purchase some of its botnet and start again.
Partnering for success
The cybersecurity community is moving in the right direction, there’s nothing like some high-profile arrests and total infrastructure seizure to remind those still at large that cybercrime is not without its consequences. The Dutch police are doing a sterling job here, proactively posting messages on criminal forums to psych-out the bad guys. One ominous note reads: “Everyone makes mistakes. We’re waiting for yours.”
Additionally, the Dutch Police offer this tool to see if your account details were among the 4.2 million compromised.
At Trend Micro we have a long and successful history partnering with law enforcement on cases like this. It’s led to a number of arrests and convictions in the past, and we’ll always do what we can to share our global threat intelligence and expertise whenever required.
International law enforcement partnerships continue to do a great job, and the world is a lot safer place as a result. Cybercrime, like cybersecurity, is ultimately a human challenge. Sending a strong, unified message that cybercrime ultimately does not pay is key to making the digital world a safer place.