Police Have Disrupted the Emotet Botnet

A coordinated effort has captured the command-and-control servers of the Emotet botnet:

Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware—regular themes include invoices, shipping notices and information about COVID-19.

Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.


A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.

Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.


The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.

EDITED TO ADD (2/11): Follow-on article.

Posted on January 28, 2021 at 6:02 AM15 Comments


Brad Koehn January 28, 2021 7:13 AM

Is there a link to the source article that’s being quoted? It’s usually in the first line of a blog post like this, but not in this post.

David Rudling January 28, 2021 7:31 AM

@Brad Koehn
Not sure of Bruce’s original source but the Europol report can I think be considered an
authoritative source.

ht tps://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action

(fractured as usual)

ATN January 28, 2021 7:47 AM

All Windows PCs which were part of the botnet have been patched to the latest version of Windows to secure them, or have been left with all their security holes so they can be part of the next botnet?
First thing a botnet will probably do is break windows auto-update system (it seem to break by itself even on regularly updated systems), so did they fix such system on all the botnet PCs? Or use all those PCs for their own honeypot?

Spellucci January 28, 2021 8:03 AM

There is very little in these articles on apprehending the criminals involved or disrupting the criminal organizations. If LEA disrupts the hardware, but the EMOTET gang has the software, what is to prevent them from setting up new hardware?

Clive Robinson January 28, 2021 9:06 AM

@ ALL,

From the article,

“Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new target”

Err not realy true as has been demonstrated in the past.

If the attackets can gain control of a router or similar that is upstream of the target machines but downstream of the Law Enforcment infrastructure, then they can simply imitate the LE infrastructure.

Whilst their are other tricks that can be used to make this more dificult, at the end of the day it’s a competition as to who ends up controling the “root of trust”(RoT) on the bot machines and by what means[1]

consider the following,

1, They attackers sent out phishing bait.
2, Some users bite and get hooked.
3, The attackers gain access to the users machines.

Now comes the question of what did they do to these machines whilst in that privilege position?

In the past some attackers have patched user machines after they have installed a Remote Access Trojan/Tool (RAT) or similar as a way back in. The OS and Application patching was to keep others from taking the users machine away from the attackers.

Thus most such “bot herder” attackers are aware that they can loose their machines, either to competitors or Law Enforcment(LE).

There are several things they can do to contingency plan. One of which is to keep not just machines they have owned but spare control networks. All using different techniques, so attackers or LE only see part of their assets or think there is more than one set of attackers. However keeping reserves the attackers can just bring up what were formally unknown quiescent bots on-line when needed is safer than trying to regain control of lost bots.

The reason is that lost bots can become Honney Pots to track the activities of the attackers either to locate them or to block the method by which they regain control.

Is there anything the attackers can do to stop any Honey Pot being effective? Well yes they can stop using very vulnerable control systems[1] and implement systems that are difficult if not effectively impossible to stop unless all the bots are not just cleaned up but patched etc[3] on an individual basis. I’ve yet to see evidence that the bot herders have resorted to such measures. Probably because the Internet is such a target rich environment loosing bots is just a minor inconvenience to an effectively run organisation.

[1] As I’ve pointed out before you do not need a “Command and Control Communications”(3C) hierarchical system[2]. In fact you should avoid using such a system if you want resilience. Because when someone else gets control of the 3C Server or even just it’s DNS or IP Address then the original bot herders get taken out of the game.

[2] The only reason to have a 3C server hierarchy and server is because the original attackers have not thought about how to establish effective communications under hostile attack. That is the bots “phone home” which is a very fragile way of doing the communications. For reliability a Broadcast, or continuously evolving and thus self healing Mesh system would both be more resilient.

[3] There are various tecuniques that can be used to deter LE activities “deadmans switches” activated by lack of a heart beat on the bots is one way. Various payloads have been used in the past from back in the early days in networking right up to current times. We’ve seen the power of DDoS attacks and whilst there are ways to “sink hole” attacks on specific targets a DDoS on many targets in a rotating or other manner would prove a very real problem for which the Internet in it’s current incarnation is not realy designed to deal with. Causing all the bots to destroy the data or even some hardware on users machines so they become “bricked” is another. However petty revenge tactics such as these are becoming more of a nuisance than a deterant. From a bot herders point of view making the bots effectively attack proof except from the front panel would be a better objective. There are ways this can be done as a first resort to anyone trying to gain control of the bot.

Bruce Schneier January 28, 2021 10:10 AM

@Brad Koeh:

“Is there a link to the source article that’s being quoted? It’s usually in the first line of a blog post like this, but not in this post.”

Thanks for noticing. Fixed.

AL January 28, 2021 12:06 PM

There is a subsequent story.
“Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021 …
this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.”

So, there could be some people who have the infection, and won’t know it. They say to check to see if you have it, but I’m not hearing what to check for.

Sancho_P January 28, 2021 1:08 PM

The funny thing is most people are thinking of malicious phishing emails with links or office macros inadvertently installing malware.
But the real enemy to security may be a criminal, deliberately installing malware or selling data sets directly.
Although most are at the top, dishonest people are everywhere in our society.

UK’s NHS: £1 for everything
Small criminals: $36 to $50 per data set

SpaceLifeForm January 28, 2021 3:30 PM

Read what an expert on Emotet has to say.

He is back in US for a reason.

The kill in March is planned for a reason.

hx tps://mobile.twitter.com/malwaretechblog

Winter January 29, 2021 1:25 AM

“He is back in US for a reason.
The kill in March is planned for a reason.”

I followed the link, but I still have no idea what you are talking about. Could you be somewhat more verbose?

SpaceLifeForm January 30, 2021 5:40 PM

@ Winter

MH is an expert, if not the expert on Emotet. He has been watching it for years.

The kill date most likely is tied to cert expiration.

But, in the meantime, collect the data.

hx xps://malwarebytes.com/emotet

SpaceLifeForm February 2, 2021 3:19 PM

Emotet KIll-date corrected.

It is set for 2021-04-25, not 2021-03-25.

ht tps://www.twitter.com/MBThreatIntel/status/1354842730711502850

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.