German BKA initiate a takedown of Emotet malware infrastructure

[German]The German Federal Criminal Police Office (Bundeskriminalamt) and the Frankfurt General Prosecutor's Office (Generalstaatsanwaltschaft) have initiated a "takedown" of the Emotet infrastructure internationally. The Emotet servers were taken over and then the infrastructure was shut down.


Emotet is a family of computer malware in the form of macro viruses that infect recipients with Trojans via the attachment of very genuine looking emails. When a recipient opens the attachment or attachment of the email, modules with malicious functions are reloaded and executed. The payload ranges from banking trojans up to ransomware.

The Emotet gang has been responsible for numerous successful ransomware attacks on companies, government agencies, and organizations. Emotet was considered to be the most dangerous malware worldwide at the moment and has also infected a high number of IT systems of companies, authorities and institutions world wide, in addition to computers of tens of thousands of private individuals.

As a so-called "downloader", Emotet had the function of infecting a victim system unnoticed and reloading further malware, for example to manipulate online banking, to spy out stored passwords or to encrypt the system for blackmail. The use of this "botnet" created by the perpetrators, together with the reloading of any malware, was offered for a fee in the "underground economy". Therefore, Emotet's criminal business model can be called "malware-as-a-service."

The network of Emotet backers provided other criminals with the basis for targeted cyber attacks. In Germany alone, infections with the Emotet malware or down-loaded malware caused damage amounting to at least 14.5 million euros. The damage caused worldwide by Emotet infections runs into the hundreds of millions, if not billions. There are numerous articles on Emotet here on the blog.

German law enforcement and BKA took actions

In a joint announcement (German)  by the BKA, the General Public Prosecutor's Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT) and the Federal Criminal Police Office on January 27, 2021, the "takedown" of the Emotet infrastructure was just announced. Yesterday, Tuesday, January 26, 2021, an international concerted effort was underway with law enforcement agencies from the Netherlands, Ukraine, Lithuania, France, as well as England, Canada and the United States to take over and dismantle the Emotet malware infrastructure with the support of Europol and Eurojust.


Long time investigations since 2018

The ZIT and BKA investigations into the operators of the Emotet malware and the Emotet botnet on suspicion of joint commercial computer fraud and other crimes have been ongoing since August 2018, the BKA said.

As part of this investigation, various servers were initially identified in Germany that were used to distribute the malware and control and manage the victim systems using encrypted communications. Extensive analyses of the determined data led to the identification of further servers in several European countries. As a result, further data was obtained through international mutual legal assistance, and the Emotet infrastructure was increasingly uncovered by officials from the BKA and international partner agencies.

International action for takedown

Since the components of the Emotet infrastructure identified in this way are located in several countries, yesterday's "takedown" measures were carried out on the initiative of ZIT and the BKA in close cooperation with the international law enforcement agencies concerned. Officials from the BKA and prosecutors from ZIT have already seized 17 servers in Germany. In addition, further servers have also been seized in the Netherlands, Lithuania and Ukraine at the request of the German law enforcement authorities as part of international mutual legal assistance measures.

This action, coordinated by Europol and Eurojust, not only succeeded in preventing the perpetrators from accessing the Emotet infrastructure. Extensive evidence was also secured. In addition, as part of the mutual legal assistance measures in Ukraine, it was possible to take control of the Emotet infrastructure from one of the suspected operators..

Emotet quarantined on victim systems

By taking control of the Emotet infrastructure, the BKA's cyber specialist was able to render the malware on affected German victim systems unusable for the perpetrators. To deprive the cyber criminals of any possibility of regaining control, the malware was quarantined on the victim systems and the malware's communication parameters were adjusted so that the victim systems could communicate exclusively to an infrastructure set up to preserve evidence. The information obtained about the victim systems in the process, such as public IP addresses, is sent to the German Federal Office for Information Security (BSI).

The BSI notifies the network operators in Germany responsible for the transmitted IP addresses. Providers are asked to inform their affected customers accordingly. Furthermore, the BSI provides information on how to clean up affected systems.

For ZIT and BKA, the dismantling of the Emotet infrastructure represents a significant blow against internationally organized cybercrime and, at the same time, a major improvement in cybersecurity in Germany. It will now be interesting to see whether the seized servers and evidence can be used to track down and arrest those behind the Emotet group. And for me, the question remains: Will the cyber criminals of the Emotet Group succeed in setting up a similar infrastructure again?

Addendum: Brian Krebs has also a few details here. Also the colleagues from Bleeping Computer addresses the topic here. The statement from Europol may be read here. A Youtube video of unkrainian police shows the raid and the seized hardware of on suspect.

Similar articles:
EmoCrash protectet systems for 6 months against emotet-infections
Cryptolaemus and the fight against Emotet
Microsoft warns of massive Emotet campaign
EmoCrash protectet systems for 6 months against emotet-infections
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Microsoft warns of massive Emotet campaign
Emotet Trojan can overload computers on the network
Emotet C&C servers deliver new malware
FAQ: Responding to an Emotet infection
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Emotet malware comes as a supposed Word update
New Emotet Campaign during the Holidays 2020

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *