It may seem sometimes that the ransomware epidemic is getting worse, but occasionally there’s some good news. At the end of January 2021, years of work by law enforcement culminated in taking down Emotet, one of the world’s biggest malware-as-a-service (MaaS) operations. A joint task force including police from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine seized control of multiple servers and made a series of arrests.
In all, the police took down over 700 botnet servers, making this the biggest operation of its kind in history. This will provide welcome relief— in Q3 of 2020, attacks carried out using the Emotet botnet surged over 1200%. Ukrainian authorities estimated the damage caused by Emotet exceeds $2.5 billion USD. In total, experts believe that Emotet has infected more than 1.2 million computers.
This is a major development for the entire cyber-crime ecosystem, including ransomware gangs, since many hackers used Emotet in ransomware attacks. To understand why requires a little bit of background information on Emotet and the role it played for cyber criminals worldwide.
Emotet’s Modus Operandi
Emotet first started out as a trojan designed for stealing banking credentials. The hackers behind it were so good at breaking into systems that they decided to start offering their services to other hackers. and their virus evolved into a loader. A loader is a type of virus that specializes in delivering other types of malware. The most well known payloads delivered by Emotet are Trickster, a trojan which steals banking details, and Ryuk, a common ransomware variant.
Emotet spent years building an extensive network of infected computers called a botnet; in other words, an army of infected computers. The gang was known for renting out access to this botnet to other gangs, making it easier for all kinds of hackers to break into networks worldwide.
One of the main tasks performed by this botnet was the distribution of infected emails. Emotet pioneered the technique of embedding compromised Word documents in emails. Some emails would be sent as spam, but in some cases they would be disguised to look like legitimate replies from known contacts. When the victim opened the word document, it would inject the loader into the system, opening the way to deliver the payload.
Not all payloads are malicious, however. In a fine example of ethical hacking, law enforcement agencies involved in shutting down Emotet actually used the Emotet trojan to clean up infected servers. After taking control of the botnet, they sent a trojan to all of the infected systems, but instead of malware, the payload was a program which permanently uninstalled the malware from victims’ machines.
The Implications of the End of Emotet for Ransomware
On first glance, taking down the world’s most dangerous botnet seems like a positive development. It could drastically reduce the effectiveness of a variety of malicious actors, reducing the number and severity of attacks.
However, it is certain that other hackers will step in to fill this gap. It may take some time to do so, as many of the infected computers in Emotet’s botnet may have been infected years ago, before the introduction of newer security patches. There is already some evidence that Ryuk is using another loader called Buer.
One possible downside of the takedown is that hackers who use Emotet for ransomware delivery will replace it with more sophisticated software. For example, Buer is believed to have more effective methods of avoiding detection. Now that there is room in the market for newcomers to grow, we may see more powerful botnets. The techniques used by hackers have been refined considerably in the past few years. Whoever tries to take Emotet’s place will have all of this at their disposal.
Bigger botnets could mean lower prices for ransomware attackers looking for malware-as-a-service providers. In the past year, we have seen a gradual shift towards larger scale spear phishing attacks. If a larger, cheaper, and more effective botnet emerges, we might see more spam emails targeting smaller scale users.
This development would be unlikely to impact the rate of larger scale attacks. Specialized teams that develop unique attack plans for each target are usually behind high profile attacks. These attacks involve breaking through a higher level of security, which requires more sophisticated methods. If you’d like to learn more about spear phishing attacks, you can read more about it here.
How to Protect Against Emotet’s Successor
Although there may be fewer cyberattacks in the short term, that doesn’t mean you should let your guard down. As Emotet’s successors fill the vacuum, we may see a wave of attacks as hackers build new and improved botnets.
Buer, for example, uses a tactic similar to Emotet’s infected documents. Like Emotet, the up and coming MaaS operation uses documents to spread. Buer has expanded beyond Microsoft Word to include Google Docs. In most cases, this will appear as a link in an email. The email might be an ordinary piece of spam, or a seemingly legitimate email.
The link directs the victim to a document which will launch a prompt. The prompt asks the victim to enable scripts in order to view the document. If they accept, it injects the loader. This is a clever new variation on an old trick. It shows the importance of regular anti-phishing awareness and training events. In our experience, the vast majority of ransomware attacks, especially larger scale attacks, involve phishing.
We detected a small drop in ransomware cases after the Emotet was shut down, but overall attacks are still on the rise. It may seem like a pain, but putting extra resources towards cybersecurity is a good investment. In the long term, the extra time will certainly be worth it.
Always make sure you are using the latest antivirus software, and stay up to date on updates and patches. If you do get hit by ransomware, you can always contact us for a free consultation and find out more about your options. We also provide consultation in the aftermath of attacks to minimize your chances of repeat infection.