In January 2021, Operation Ladybird took down the critical command and control (C2) and backup infrastructure used by Emotet, arrested two individuals associated with the botnet, and seized computer devices. Europol and Eurojust coordinated action against the botnet with the help of authorities in the Netherlands, Germany, the United States of America, the United Kingdom, France, Lithuania, Canada and Ukraine.
Extensive research to understand the infrastructure used by Emotet enabled a DNS redirection on all the C2 domains used. As a result, each time a victim device attempted to call back to the C2server, it was redirected to an IP address controlled by law enforcement. This IP address will send an uninstall command to Emotet infections from 12:00 on 25April 2021. The delay is planned so that SOC and response investigators have time to review any uncovered installations.
A botnet is a system of infected computers controlled by a malicious entity. The infected devices are used to infect even more systems. Botnets are typically created through large malspam campaigns using phishing attachments to infect unsuspecting users with the botnet code. Once a machine is successfully infected the code allows the attackers to send it remote commands. Often devices within a botnet are subsequently used to deliver additional malicious emails to the victim’s contacts.
The Emotet botnet, like other similar botnets, engaged in a business-like malware operation for initial access, known as malware-as-a-service (MaaS). The operators of a botnet who operate MaaS can sell or rent access to machines from their botnet to other cybercriminals enabling them to deliver their own malware, such as ransomware. These services typically use affiliate models and build trusted relationships effectively running like modern businesses.
In March 2020, the Necurs botnet was taken down through law enforcement intervention by disrupting the Domain Generation Algorithm (DGA) used by the botnet. Security researchers discovered the algorithm, predicted the domains which were to be registered over the next 25months and blocked them.
12 months on from the disruption of the Necurs botnet (a major distributer of the Dridex malware), there is no evidence of a resurgence of Necurs. However, almost immediately after the intervention, two other botnets StrangeU and RandomU became live and sought to fill the gap in the market. StrangeU began registering domains at the beginning of March 2020,followed by RandomU domain registrations in April 2020. Initially, this malware was used scarcely and only to deliver commodity malware. However, in June 2020,StrangeU infrastructure was used to deliver TrickBot, and in July 2020,StrangeU infrastructure was used to deliver the Dridex malware. Following this, in September 2020, StrangeU and RandomU merged and began more regular distributions of the Dridex malware.
In October 2020, US government agencies and Microsoft took action against TrickBot; however, less than two months later, the operators resurged with a similar operational tempo. In this case however, context was important. October and November 2020 were important months for the US, with the presidential elections in November. Law enforcement were focused on fast action against TrickBot to limit the negative impact that criminals and potentially state-sponsored actors could cause on the elections. TrickBot has previously been used to conduct misinformation campaigns during major global events.
The approach taken to disrupt TrickBot was limited and reactive. Law Enforcement focused on takedown of domains as they were being registered. Re-registration of domains is trivial and something that organised criminal groups do regularly, which meant that there was no sustained impact on TrickBot. The actions taken against the Emotet and Necurs botnets were far more comprehensive and focused on disruption of key infrastructure making recovery much more challenging.
The cybercriminal marketplace behaves as a free market and runs on a supply and demand basis. The takedown of Emotet has introduced a gap in a market where there is heavy demand, this gap will be filled by existing operators or with the introduction of newcomers. The Necurs botnet takedown and subsequent emergence of replacements is a clear example of the flexibility of these markets.
The introduction of Ransomware-as-a-Service(RaaS) into the cybercriminal market has resulted in a major supply-chain reliance for initial access campaigns. Buyers are constantly seeking to secure this key part of the supply chain. The REvil ransomware gang for example, has been seen posting advertisements seeking business partnerships with initial access brokers.
However, as many cybercriminal groups operate in a business-like fashion, they will also typically have backup routes to market through other suppliers. As a consequence, infection rates will not be affected by the Emotet takedown for a substantial amount of time. An example of this can be seen with Ryuk ransomware. The Emotet botnet was heavily used in the delivery of the Ryuk. However, Ryuk has also been delivered through other attack chains, including use of TrickBot since at least December 2017, followed by Bazar Loader in September2020. Buer and Silent Night are less reported delivery mechanisms of Ryuk which have been used since September 2020.
Gaps in a free market do not remain empty for long. Hence, it is expected that some operators will use this as an opportunity for growth and expansion of operations. It is also known that groups relying on MaaS services typically use multiple botnets and so it is likely that criminal groups may fall to their backup operators such as TrickBot and Bazar.
Instead of using established operators some actors may turn to individuals selling initial access on underground forums. We can expect to see an increase in the activity of initial access brokers advertising their services. As threat actors seek initial access through remote services, there will be an increase in the underground trading of gateway solutions.
The current evidence suggests that Emotet will not be returning to the cyber-criminal market in the way that we know it. However, what we may see is operators involved in Emotet branching off to create smaller, independent botnets using the Emotet source code, which is what happened with Necurs. Whilst it is possible that senior members of the Emotet botnet will come together again and attempt to re-recreate it, the reputational damage suffered from the takedown will make this difficult.
On 25 April 2021, law enforcement will send an uninstaller for Emotet to all infected devices. Some actors with access may rush to capitalize on the infection prior to this. Therefore, it is recommended that organisations check and investigate for any Emotet infections in your environment prior to this date.
Protection of the perimeter is key to ensuring defense against initial access campaigns. The majority of these campaigns rely on phishing and so robust and trustworthy anti-phishing tools are recommended. Additionally, organisations should ensure that employees are trained appropriately and understand the risks associated with phishing. Initial access campaigns tend to focus on major current events, therefore, we recommend conducting training refreshment and phishing tests before these events.
Organisations should use both protective and defensive measures on external remote services(VPN, RDP and Microsoft Exchange).