The criminal operation behind a dangerous, global botnet has been disrupted.
On Wednesday morning, international authorities with Europol announced that a global police action, dubbed “Operation Ladybird,” had successfully taken down the infrastructure behind Emotet, the malicious botnet that has been used to execute ransomware attacks all over the world. The coordinated operation saw “law enforcement and judicial authorities” work together to gain “control of the infrastructure” and take it down “from the inside,” officials with Europol said, while providing few other details.
Authorities in the Netherlands, the United Kingdom, the United States, Germany, France, Canada, Ukraine, and Lithuania all took part in the operation. The takedown appears to have involved police raids in multiple countries — Ukraine’s Ministry of the Internal Affairs notes that “cyberpolice together with law enforcement agencies of foreign countries conducted simultaneous searches.”
A video on the Ukrainian National Police Youtube shows cops apparently raiding an apartment and trolling through its contents: stacks of cash, gold bars, documentation, multiple cell phones, and various servers and monitors. Officials said that two Ukrainian suspects were identified in connection with the investigation, though they have not been identified. Also (as translated by Google), “members of an international hacker group who used the infrastructure of the EMOTET BOT network to conduct cyberattacks have also been identified,” and authorities are looking to detain them, according to a government website.
Europol labelled Emotet the “most dangerous malware” on the internet for its widespread use as a “loader,” a type of malware used to spread other, more destructive types of malware, like ransomware. The trojan, which has typically been spread via malicious email attachments, has seen an explosion in use by criminal hacker groups in recent years. By the end of 2020, this usage was wildly out of control — one report showed a 1,200% increase in attacks between the 2nd and 3rd quarter of that year alone.
“The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware,” Europol authorities wrote Wednesday.
Dutch police provided more details on their own website (translated): “The criminal organisation behind Emotet distributed the malware through an extensive and complex network of hundreds of servers. Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay.”
The large police operation wasn’t the only bad news for cybercriminals on Wednesday, however. Not long after the Europol announcement, a notification reportedly appeared on the dark web site typically run by the Netwalker ransomware gang: “This hidden site has been seized by the FBI, as part of a coordinated action by law enforcement against NetWalker ransomware,” the page now reads, according to Bleeping Computer.
Netwalker emerged in 2019 and became one of the most popular ransomware-as-a-service offerings on the dark web. Created by the threat group “Circus Spider” (they are believed to be a member of the larger cybercrime group “Mummy Spider”), the malware has been known for its use in spamming schemes as well as in “Big Game Hunting” operations — attacks in which threat actors target larger, more prominent institutions with high-value data in order to spur a bigger payout.
U.S. and European authorities have not yet released an official statement about the site’s seizure, nor confirmed it.