{"id":2665,"date":"2021-02-09T10:51:44","date_gmt":"2021-02-09T10:51:44","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/uncategorized\/untagged\/emotet-has-been-taken-down-what-does-this-mean-for-business-cybersecurity\/"},"modified":"2025-12-15T16:18:19","modified_gmt":"2025-12-15T16:18:19","slug":"emotet-has-been-taken-down-what-does-this-mean-for-business-cybersecurity","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/emotet-has-been-taken-down-what-does-this-mean-for-business-cybersecurity\/","title":{"rendered":"Emotet Taken Down \u2013 Business Cyber Security and the Future"},"content":{"rendered":"

January 2021 – in one of the biggest operations of recent times, police in eight countries seized 700 command and control (C2) servers used by a botnet called Emotet, cutting it off from the reported 1.6 million computers it has infected since last April. <\/strong><\/p>\r\n

Nicknamed Operation Ladybird, the police forces involved \u2013 Europol<\/a>, the FBI<\/a>, and Britain\u2019s National Crime Agency \u2013 were understandably delighted with their work. Within hours, one of cybercrime\u2019s most intractable malware delivery systems had been severely dented and perhaps put out of operation forever.<\/p>\r\n

\u00a0<\/h2>\r\n

Are We Now a Lot Safer?<\/h2>\r\n

Rather like drug seizures in conventional policing, high-profile botnet takedowns are an example of a news story which makes the public feel as if a blow has been struck. In both cases, the public isn\u2019t entirely wrong \u2013 disrupting a botnet\u2019s infrastructure is always a good thing because it halts the flow of damaging malware they distribute. The important caveat is what happens next.<\/p>\r\n

\u00a0<\/h2>\r\n

The Evolution of Botnets<\/h2>\r\n

First detected in 2014, Emotet was one of a new generation of online banking Trojans distributed using malicious email attachments and links. The key to its success was the way it was developed like a conventional software product, rapidly distributing successive versions targeting numerous banks while adding sophisticated features that blunted detection. Eventually, Emotet started operating like a botnet \u2013 a network of infected machines \u2013 as a way of distributing not only banking Trojans, but any <\/em>payload. This was recently taken to its logical conclusion and Emotet morphed into something resembling a software platform offering this multipurpose capability as crime-as-a-service where its makers earn commission for every successful infection.<\/p>\r\n

Emotet\u2019s speciality was infected attachments, especially Word documents. This is a good choice because it\u2019s nearly impossible to block because doing so would halt most invoicing, discussion papers, policy documents, and shipping notices. Cleverly, the emails would come as replies to established email threads from known contacts, which also made it easier to persuade targets to enable macros, triggering the malware. Door opened, Emotet would gather profile data about its victim, helping the criminals decide what specific malware payload to deliver, often ransomware.<\/p>\r\n

Despite going quiet for periods, police say it\u2019s generated millions of dollars for its creators. \u00a0Botnets are traditionally measured by counting the number of computers they infect and control at any one time, but this can be misleading. A better yardstick is the damage done, and on that score Emotet is among the worst crimeware systems in the world, prominent in numerous malware attacks on companies, universities, schools, and even whole city administrations.<\/p>\r\n

\u00a0<\/h2>\r\n

Botnets Have Been Taken Down Before<\/h2>\r\n

Ever since they emerged around 20 years ago to distribute spam, botnets have been public enemy number one for police forces, and it\u2019s not hard to see why. As well as being important infrastructure for online crime, they make inviting targets for intervention. Usually, the only chance to stop malware is when it appears at the endpoint, but this has proved unreliable to say the least. A better alternative is to track and disrupt the botnet systems used to distribute malware in the first place.<\/p>\r\n

An early tactic was to contact the owners of computers that were part of botnets, the approach taken by the FBI\u2019s Operation Bot Roast<\/a> in 2007, which identified one million victims by their IP addresses. This was ineffective because the botnet controllers could infect new computers faster than the old ones could be cleaned. What it did establish, however, was the basis for anti-botnet cooperation between police forces and tech companies across jurisdictions. That allowed police to move on to more ambitious operations such as 2011\u2019s Operation Ghost Click<\/a>, which took over the infrastructure of the DNSChanger<\/a> advertising botnet. Designed to route infected computer\u2019s traffic through rogue DNS servers (the servers which resolve Internet domains in web browsers), this had to be shut down carefully over a period of months so that surprised victims weren\u2019t simply cut off.<\/p>\r\n

Operation Ghost Click was described as the \u201cbiggest cybercriminal takedown in history.\u201d This seemed fair at the time \u2013 unusually several individuals were arrested and prosecuted for setting it up \u2013 but the triumphalism was premature; botnets continued to thrive and grow. More anti-botnet operations have followed, for example against ZeroAccess<\/a> in 2013, Gameover Zeus<\/a> a year later, and the more recent takedowns of Necurs<\/a> and Trickbot<\/a> in 2020.<\/p>\r\n

Recurring themes have included the involvement of Russian cybercriminals and a reliance on Microsoft\u2019s Digital Crimes Unit (DCU) for botnet intelligence and legal expertise. But the biggest theme of all is simply that none of these actions has ever delivered a knockout blow. A botnet was disrupted, leaving other cybercriminals to exploit the vacuum as a competitive advantage. It could be that botnet criminals evolved to dodge the takedowns with more resilient Command and Control systems or simply that there are too many botnets in the first place for any one takedown to make much of a difference.<\/p>\r\n

\u00a0<\/h2>\r\n

What Happens Next?<\/h2>\r\n

The action against Emotet might sound like a version of previous botnet busts, but there are intriguing differences. Not all the details have yet been released but it appears that the police and tech companies aren\u2019t simply seizing the botnet\u2019s servers and making a few arrests but instead they are using it to upload software updates that will remove the botnet from infected computers by 25th March. This is unusual but also complex for legal and technical reasons. The pay-off is that it should make it impossible for the botnet operators to contact the infected systems using a reconstituted Emotet 2.0, which means there\u2019s a reasonable chance Emotet is gone for good. If that interventionist model is a template for future anti-botnet operations, the Emotet takedown could be a botnet operation everyone remembers.<\/p>\r\n

\u00a0<\/h2>\r\n

How Can You Avoid Becoming a Victim of a Botnet?<\/h2>\r\n

Undoubtedly, organisations should be taking the risks from botnets very seriously, but there are measures you can take to significantly reduce the risks. These include:<\/p>\r\n