Microsoft: Keep your guard up even after Emotet’s disruption

Microsoft warns customers not to let their guard down even after hundreds of Emotet botnet servers were taken down in late January 2021.

Emotet, originally a run-of-the-mill banking trojan spotted in 2014, has evolved into today’s largest and most dangerous botnet used by a threat group tracked as TA542 or Mummy Spider.

The malware is used to drop other malware families including the QakBot and Trickbot trojans (known deployment vectors for Ryuk, Conti, ProLock, and Egregor ransomware payloads) on infected systems.

Telemetry data collected by Microsoft since Emotet’s infrastructure was disrupted shows that the botnet has seen a drastic drop in activity, but Redmond still warns customers not to take down their defenses.

“Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns,” the company’s global network of security experts tweeted earlier today.

“Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.

Emotet going down

The botnet’s servers were taken down in January and the malware’s operation disrupted following an international coordinated action coordinated by Europol and Eurojust.

After this joint effort, law enforcement agencies and authorities from multiple countries were able to take control of several hundred Emotet servers that should’ve made the botnet highly resilient against any takedown attempts.

All computers infected by Emotet were redirected to law enforcement-controlled infrastructure to more effectively disrupt malicious activity.

Law enforcement also distributed a new Emotet module to all infected devices that will automatically uninstall the malware on April 25th, 2021.

“Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected,” Germany’s BKA told BleepingComputer.

“An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences.”

In the past, Emotet has targeted U.S. state and local governments in potentially targeted campaigns according to DHS-CISA.

Gone for good?

With law enforcement taking over the botnet and forcing it to uninstall itself in April, this could amount to a significant disruption that should make it very difficult for Emotet to return.

However, notwithstanding all signs pointing to Emotet having a hard time coming back, other disrupted botnets have been able to recover in the past despite concerted effort to take down.

For instance, despite hopes that the disruption of TrickBot in October by the US government and Microsoft would have had a long-term effect, TrickBot was soon back up and running.

Despite this, security researchers and experts like Joseph Roosen of the Cryptolaemus research group, who has been tirelessly tracking Emotet’s activities, are still excited by this development.

“I feel great and very hopeful about the future. The collaboration between law enforcement, private sector and volunteers is a beautiful thing to behold,” Roosen told BleepingComputer.