Emotet infrastructure disrupted after coordinated action

On Tuesday, Jan 27, 2021, Europol announced that a coordinated group of international authorities has taken control of the Emotet infrastructure.

We congratulate the authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, who collaborated to disrupt this malicious infrastructure's activity and protect the vulnerable. This level of coordination is no mean feat and illustrates what significant change can be brought about when the internet community pulls together.

As part of this effort, Spamhaus is providing remediation data directly to end-users, networks, and national CERTs to assist in the mitigation of this threat.

Steps that can be taken to address an Emotet infection

Reminder: Even if Emotet is disabled the malware it dropped can remain active! Read more in our companion article Emotet is disrupted, but the malware it installed lives on.

INDIVIDUAL USERS: Ensure that the affected computers are running up-to-date antivirus, and perform a full system scan and change all passwords, including:

• Computer account administration passwords
• Email passwords
• Webmasters: change FTP and CMS credentials

CORPORATE NETWORKS: Emotet will deploy ransomware, which encrypts any corporate data. In most cases, this prevents the organization from operating normally and performing its daily business. If notified that an Emotet infection is present, it is safe to assume that one or more computers are infected.

Any client or server running a Microsoft Windows OS must have an up-to-date antivirus installed, and a full system scan should be performed. Logging on firewalls and web-gateways (e.g., web proxies) should be enabled, and administrators should be on the look-out for indicators of compromise (IOC) connected to Emotet. Passwords of all the affected users and any domain administrator or service accounts should be changed.

CHECK AN EMAIL ADDRESS: The Dutch National High Tech Crime Unit has supplied a tool that can be used to see if an email address and its account credentials has been compromised. The data contains e-mail addresses, usernames, and passwords that are in possession of cybercriminals. We really encourage everyone to see if their email was present when the data was seized and to act with speed if it is found to be compromised! The page is in Dutch and English.

CHECK AN IP ADDRESS: As part of this operation, data is being shared with Spamhaus to remediate Emotet infections. To check if your IP address has been observed talking to Emotet infrastructure go to the Blocklist Removal Center and search for your IP address.

This takedown has showed what remarkable results can be achieved with cooperation of public and private sectors. Once again, we want to iterate what a fantastic effort this has been.

Press releases & announcements

Europol: World’s most dangerous malware EMOTET disrupted through global action

German Bundeskriminalamt: In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen

Dutch National Police: Internationale politieoperatie LadyBird: wereldwijd botnet Emotet ontmanteld

United Kingdom National Crime Agency: NCA in international takedown of notorious malware Emotet

United States Department of Justice: Emotet Botnet Disrupted in International Cyber Operation

Ukraine National Police: Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні найнебезпечнішого в світі комп’ютерного вірусу «EMOTET»