Emotet reportedly uninstalls itself on April 25, 2021

[German]Currently, it's reported, that the Emotet malware will automatically uninstall itself from infected systems on April 25, 2021 (1st I reported March) at 12:00 a.m CET. However, it is unclear to me who exactly is behind this action – the German BKA and the Dutch police are mentioned. Here is the information that has just been leaked via security researchers and Europol.


Emotet C&C server seized

A few hours ago it became known that law enforcement agencies (BKA, Europol etc.) seized the infrastructure of the Emotet malware and took control of its servers. In Germany alone, 17 servers have been taken over. I had reported about this action in the blog post German BKA initiate a takedown of Emotet malware infrastructure. There it was still said that the Emotet malware would be sent "into quarantine" on the victim systems. In addition, German Bundeskriminalamt (BKA) logs the IP addresses of the victim systems that contact the Emotet C&C servers. Then, the providers are to be informed so that they can notify the customers about the infection.

Emotet uninstallation scheduled for April 25, 2021?

A Twitter user with the alias mikream noticed a few hours ago that all C&C.servers that can still be contacted are distributing a new payload that is supposed to remove an Emotet infection via script on March 25, 2021 at 12:00. This can be seen from the following tweets, whereby eight C&C servers, which according to the IP are located in Germany, are delivering this payload.

Emotet-Update mit Time Bomb

Addendum: The end date, that triggers the uninstall, may be April 25, 2021, because the month is counted in C from 0-11 – see also this tweet.

Unclear who is behind the action

There is some discrepancy regarding information on who exactly is behind the action. Catalin Cimpanu writes on ZDNet.com that Dutch police state that two out of three of the primary Emotet command-and-control (C&C) servers are located in the Netherlands and have been seized. This source says that the Dutch police are using access to these two key servers to distribute a timebombed Emotet update to all infected hosts.

What makes me suspicious, however, are the IP addresses given in the above tweet, which refer to the Open Telekom Cloud and German sites. Bleeping Computer, on the other hand, writes in this article:


In a phone call with Europol's press office, BleepingComputer was told that the German Bundeskriminalamt (BKA) federal police agency was responsible for this action. The press office, though, did not know the date that law enforcement would uninstall the malware.

They cite a phone call with the press department of Europol, which claims German Bundeskriminalamt (BKA) federal police agency was responsible for this action. Bleeping Computer writes that it is unclear why law enforcement waited two months to uninstall the malware. However, two questions are on my mind:

  • So far, my understanding has been that distributing the update that removes the Emotet malware from an infected system falls within the realm of computer sabotage (we have such a law in Germany) – because something is being changed on the system. In Germany, legal hurdles would have to be overcome.
  • Furthermore, the link to VirusTotal posted in the above tweet makes me wonder. There, the 404 KB update is actually detected as a Trojan by all virus scanners (see the following image).

Emotet-Update auf VirusTotal
Emotet-Update auf VirusTotal, Click to zoom

If I now add up 1+1, we have the situation that the BKA may not actually be allowed to distribute the update with the time bomb (I am not sure about the legal assessment). At the same time, all systems with a reasonably up-to-date virus scanner should actually recognize this update as a Trojan and send it to quarantine. There are reports in several media that an update with Timebomb is being distributed to shut down Emotet. And ZDNet writes that two security companies monitoring Emotet activity have confirmed the process to distribute the update. But it's unclear to me at this point who exactly is behind the action and how successful the whole thing really is at the end of the day.

Addendum: Here is the statement of US Department of Justice (DOJ).

Similar articles:
EmoCrash protectet systems for 6 months against emotet-infections
Cryptolaemus and the fight against Emotet
Microsoft warns of massive Emotet campaign
EmoCrash protectet systems for 6 months against emotet-infections
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Microsoft warns of massive Emotet campaign
Emotet Trojan can overload computers on the network
Emotet C&C servers deliver new malware
FAQ: Responding to an Emotet infection
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Emotet malware comes as a supposed Word update
New Emotet Campaign during the Holidays 2020
German BKA initiate a takedown of Emotet malware infrastructure


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *