International Action Targets Emotet Crimeware – Krebs on Security – Krebs on Security

Authorities across Europe on Tuesday said they’d seized control over Emotet, a prolific malware strain and cybercrime-as-service operation. Investigators say the action could help quarantine more than a million Microsoft Windows systems currently compromised with malware tied to Emotet infections.

emo graphic ProxyEgg International Action Targets Emotet Crimeware – Krebs on Security - Krebs on Security

First surfacing in 2014, Emotet began as a banking trojan, but over the years it has evolved into one of the more aggressive platforms for spreading malware that lays the groundwork for ransomware attacks.

In a statement published Wednesday morning on an action dubbed “Operation Ladybird,” the European police agency Europol said the investigation involved authorities in the Netherlands, Germany, United States, the United Kingdom, France, Lithuania, Canada and Ukraine.

“The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale,” Europol said. “Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.”

Experts say Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy secondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking trojan. It propagates mainly via malicious links and attachments sent through compromised email accounts, blasting out tens of thousands of malware-laced missives daily.

Emotet relies on several hierarchical tiers of control servers that communicate with infected systems. Those controllers coordinate the dissemination of second-stage malware and the theft of passwords and other data, and their distributed nature is designed to make the crimeware infrastructure more difficult to dismantle or commandeer.

In a separate statement on the malware takeover, the Dutch National police said two of the three primary servers were located in the Netherlands.

“A software update is placed on the Dutch central servers for all infected computer systems,” the Dutch authorities wrote. “All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined. Simultaneous action in all the countries concerned was necessary to be able to effectively dismantle the network and thwart any reconstruction.”

A statement from the German Federal Criminal Police Office about their participation in Operation Ladybird said prosecutors seized 17 servers in Germany that acted as Emotet controllers.

“As part of this investigation, various servers were initially identified in Germany with which the malicious software is distributed and the victim systems are monitored and controlled using encrypted communication,” the German police said.

Sources close to the investigation told KrebsOnSecurity the law enforcement action included the arrest of several suspects in Europe thought to be connected to the crimeware gang. The core group of criminals behind Emotet are widely considered to be operating out of Russia.

A statement by the National Police of Ukraine says two citizens of Ukraine were identified “who ensured the proper functioning of the infrastructure for the spread of the virus and maintained its smooth operation.”

A video released to YouTube by the NPU this morning shows authorities there raiding a residence, seizing cash and computer equipment, and what appear to be numerous large bars made of gold or perhaps silver. The Ukrainian policeman speaking in that video said the crooks behind Emotet have caused more than $2 billion in losses globally. That is almost certainly a very conservative number.

ukraine emotet ProxyEgg International Action Targets Emotet Crimeware – Krebs on Security - Krebs on Security

Police in the Netherlands seized huge volumes of data stolen by Emotet infections, including email addresses, usernames and passwords. A tool on the Dutch police website lets users learn if their email address has been compromised by Emotet.

But because Emotet is typically used to install additional malware that gets its hooks deeply into infected systems, cleaning up after it is going to be far more complicated and may require a complete rebuild of compromised computers.

The U.S. Cybersecurity & Infrastructure Security Agency has labeled Emotet “one of the most prevalent ongoing threats” that is difficult to combat because of its ‘worm-like’ features that enable network-wide infections.” Hence, a single Emotet infection can often lead to multiple systems on the same network getting compromised.

It is too soon to say how effective this operation has been in fully wresting control over Emotet, but a takedown of this size is a significant action.

In October, Microsoft used trademark law to disrupt the Trickbot botnet. Around the same time, the U.S. Cyber Command also took aim at Trickbot. However, neither of those actions completely dismantled the crimeware network, which remains in operation today.

Roman Hüssy, a Swiss information technology expert who maintains Feodotracker — a site that lists the location of major botnet controllers — told KrebsOnSecurity that prior to January 25, some 98 Emotet control servers were active. The site now lists 20 Emotet controllers online, although it is unclear if any of those remaining servers have been commandeered as part of the quarantine effort.

emotet ProxyEgg International Action Targets Emotet Crimeware – Krebs on Security - Krebs on Security

A current list of Emotet control servers online. Source:

Further reading: Team Cymru on taking down Emotet

Source of this news:

Related posts:

What is a server computer? - Dataconomy
Table of Contents A server computer is a device or software that runs services to meet the needs of other computers, known as clients. Depending on the situation, a server program may operate on e...
Form F-3 China Finance Online -
Get instant alerts when news breaks on your stocks. Claim your 1-week free trial to StreetInsider Premium here.   Registration No. 333-_______     UNITED STATES SECURITIES AND EXCHA...
Improvements released new troubleshooting blend, Fiddler Jam - SDTimes. com
Progress today announced the availability of Progress Telerik Fiddler Jam, designed to provide clients with a troubleshooting solution concerning support and development coaches and teams to ad...
13 Best Proxy Servers Review [Update Aug'21] - Top Proxy Service in 2021 [Free and Paid] - hackernoo...
Privacy and data security are crucial for every Internet user. We all want to keep personal information secure and protect the internal network from any threats or undesirable attacks. That is why so...
Zoom Patches Multiple Vulnerabilities -
Application Security , Governance & Risk Management , Incident & Breach Response Flaws Enable Attackers To Intercept Data, Attack Customer Infrastructure Prajeet Nair (@prajeetspeaks) • No...
'Neurevt' Trojan Targets Mexican Banking concern Customers - BankInfoSecurity. apresentando
Account Takeover Fraud , Cybercrime , Fraud Remedies & Cybercrime Updated Malware This time Includes Spyware and a Backdoor Prajeet Nair ( @prajeetspeaks ) • June 19, 2021 &nbs...
Comparative host-coronavirus protein interaction networks reveal pan-viral disease mechanisms - Scie...
How lethal coronaviruses engage hostsSevere acute respiratory syndrome coronavirus 2 (SARS-CoV-2) is closely related to the deadly coronaviruses SARS-CoV-1 and Middle East respiratory syndrome corona...
Top 8 Internet Browsers With Built-in VPN For Android & iOS - H2S Media
Here are some best internet web browsers with built-in VPNs to Stay Anonymous while Browsing the internet. Are you worried about your privacy and security while using your smartphone? Do you think...
I would say the 100 Greatest Music Motion picture Artists of All Time: Staff Inventory - Billboard
Why She's a Video Icon:   It's going to take no more than 10 seconds find out you’re watching a Sia video – an impressive accomplishment considering she rarely, when, appears herself. Teen...
Four New Maps Added To 2019's Call of Duty: Modern Warfare can KeenGamer News
Image credit: Infinity Keep Points new multiplayer maps have been added to the seemingly lost Call of Duty: Leading-edge Warfare as part of the mid-season update for Warzone and Bl...
Best Endpoint Security and EDR Tools for MSPs - Channel Insider
Whether they want to or not, Managed Service Providers (MSPs) are being forced to pick up more and more security functions. An endless stream of malware attacks followed by the recent rash of ransomw...
Why exactly should I Care About HTTP Make certain Smuggling? - Dark Understanding
Thought: What is HTTP request smuggling, what are the risks, and how meal plans server configuration impact all of the severity? Asaf Karas, CTO, JFrog Security : HTTP request smuggling is...
Early-life activities mediate the association between family socioeconomic status in early childhood...
1.Bradley, R. H. & Corwyn, R. F. Socioeconomic status and child development. Annu. Rev. Psychol. 53, 371–399 (2002).Article  Google Scholar  2.McPhillips, M. & Jordan-Black, J.-A. ...
How to fix Spotify Error Code 13 or 7 - TWCN Tech News
Sometimes you want an escape from the world and music can be that door you need. Spotify is one of the most famous musical escapism the millennials have adopted. So, an error stopping you from leavin...
The iOS 15 privacy settings you should change right now -
Apple’s iOS 15 has dropped. The latest version of the mobile operating system, and its iPad equivalent iOS 15.5, is rolling out around the world. Apple made the download available after announcing th...
5 Best Free Proxy Browser for 2021: A Review - EIN News
INDIA, January 6, 2021 / -- The best anonymous browsers and privacy tools will help safeguard your data against unauthorized collection and use by third-parties. This is increasingly...
How to use NGINX as a reverse proxy for Apache - TechRepublic
Jack Wallen walks you through the process of setting up NGINX such that it will direct incoming port 80 traffic to Apache, listening on port 8080. NGINX is an incredibly fast web server. Apache is ...
TheSocialProxy Review: Taking Social Media Management to the Next Level - Make Tech Easier
As a social media marketer, or simply a person who manages multiple social media accounts, you may benefit from using a proxy service. Most social networks don’t allow multiple accounts, so the...

IP Rotating Proxy Onsale


First month free with coupon code FREE30