Covered in our previous article on Emotet’s Disruption, Emotet has been seized by law enforcement. Authorities that managed to seize the notorious malware’s infrastructure have scheduled a mass uninstallation due to occur on 25 April 2021. Cybercriminal law enforcement have been busy cracking down on the cybercriminal landscape in 2021. And although Emotet’s seizure and uninstallation signifies a serious and credible victory for law enforcement and international cooperation, the rather sizable gap in the cybercriminal landscape left by Emotet begs the question; who will claim this space?

What Happened to Emotet?

In late January 2021, Europol announced that the “Emotet” malware and botnet had been disrupted as a result of international collaborative action from eight law enforcement authorities. By successfully disrupting and seizing its infrastructure, law enforcement prevented the operators from conducting any further activity. In addition to assisting in breaking Emotet, Ukrainian police arrested two individuals believed to be responsible for the malware and botnet’s infrastructure. This wasn’t the only key revelation; on 27 Jan 2021, the same day as Europol’s press release, a security researcher operating under the alias “milkream” discovered that Emotet was, in fact, installing a new module onto infected devices. However, this module was not designed by an incredibly successful cybercriminal entity – though other security researchers stated that the German Bundeskriminalamt (BKA) federal police agency was responsible.

milkream’s tweet detailing the BKA’s addition to Emotet’s code. #Emotet does indeed appear to be #Killed.
milkream’s tweet detailing the BKA’s addition to Emotet’s code. #Emotet does indeed appear to be #Killed. (Source: Twitter)

While the uninstall date appeared to be initially set for 25 March 2021, Malwarebytes confirmed that Emotet’s special day was set for 25 April 2021. Meaning that on this day, Emotet infections will be uninstalled from their victims’ machines.

What is Emotet?

Emotet is (was?) one of the most prolific malware variants to have ever existed. Largely delivered via spam emails and phishing, the Trojan has developed over the years. Emotet was first observed in 2014 as a banking Trojan designed to infiltrate their targets and steal sensitive information. It has since evolved to lay dormant upon attempts at analysis, uses command and control (C2) servers to receive updates, and was capable of installing secondary payloads of malware such as the “Ryuk” ransomware and “TrickBot” banking trojan. 

A snippet of an infographic detailing Emotet’s infection stages and secondary payload deliveries.
A snippet of an infographic detailing Emotet’s infection stages and secondary payload deliveries. (Source: Europol).

Why is the Emotet Shutdown Important?

The seizure and takedown of Emotet’s infrastructure is a significant victory for law enforcement, cyber security practitioners, and victims alike. Emotet has plagued the landscape since 2014 and caused great financial costs to its targets. According to a 2018 US Department of Homeland Security alert, Emotet has cost State, Local, Tribal and Territorial governments USD 1 million per incident to resolve. Prior to law enforcement’s takedown of Emotet, the malware reportedly controlled over one million machines. Emotet is also estimated to have made an almighty haul of over USD 2 billion over the years. Given the exceptionally large financial losses, the seizure of Emotet was almost certainly deemed to be a necessary objective of law enforcement. In this sense, its importance is clear to see. Emotet has dominated the cyber threat landscape, and taking it off the board represents a symbolic and strategic victory. 

What Was Emotet Shutdown’s Impact on Variants?

Emotet was known to deliver TrickBot, Ryuk and the QakBot banking trojan. This was done with high levels of success and effectiveness; these variants are formidable in their own right. It is currently unknown if these malware variants are impeded by Emotet’s takedown. However, given that the operators of TrickBot, Ryuk and QakBot are themselves technically sophisticated and operationally capable, it is unlikely that Emotet’s seizure and uninstallation will significantly harm their long-term activity.

What’s Next in the Malware Threat Landscape?

We’ve already seen an increase in activity associated with the BazarCall and IcedID malware variants. These surges were observed in March 2021, but reduced in April 2021. BazarCall is known to distribute BazarLoader and BazarBackdoor, which allows for remote access to victim machines. BazarBackdor is also known to deploy Ryuk ransomware. Given that technically sophisticated and operationally capable cybercriminals are likely opportunistic, we will likely see attempts made to fill the space left in Emotet’s wake. 

While the takedown of Emotet is a big win for all but cybercriminals, efforts made to replace it with malware such as BazarCall and IcedID demonstrate that cybercriminal outfits are increasingly organized, ambitious and professionalized. This will almost certainly remain the same in the future; the problem does not end with Emotet, but don’t let this convince you that defenders and law enforcement alike won’t be hot on the tails of any group ambitious enough to replace it. 

You can investigate malware operators and proactively defend your organization a demo request of Search Light (now ReliaQuest GreyMatter Digital Risk Protection).  Through updates on the latest malware types and adversary activity, you can assess the risk they pose to your organization with confidence and proactively  block associated indicators and put preventative measures in place according to MITRE. 

Hundreds of threat actor profiles are continually updated in our Threat Intelligence library in addition to associated TTPs, relevant IOCs, and MITRE techniques mapped by our team at Photon.