The criminal operation behind a dangerous, global botnet has been disrupted.
On Wednesday morning, authorities with Europol announced that an international police action, dubbed “Operation Ladybird,” had successfully disabled the infrastructure behind Emotet, the malicious botnet that has been used to execute ransomware attacks all over the world. The coordinated purge saw “law enforcement and judicial authorities” work together to gain control of the illicit enterprise’s servers and bring down the cybercrime operation “from the inside,” officials said, while providing scant other details.
Authorities in the Netherlands, the United Kingdom, the United States, Germany, France, Canada, Ukraine, and Lithuania all took part in the operation. The takedown appears to have involved police raids in multiple countries—as Ukraine’s Ministry of the Internal Affairs notes that “cyberpolice together with law enforcement agencies of foreign countries conducted simultaneous searches.”
A video on the Ukrainian National Police YouTube shows cops apparently raiding an apartment and trolling through its contents: stacks of cash, gold bars, documentation, multiple cell phones, and various servers and monitors. Officials said that two Ukrainian suspects were identified in connection with the investigation, though they have not been identified. At the same time (as translated by Google), “members of an international hacker group who used the infrastructure of the EMOTET BOT network to conduct cyberattacks have also been identified,” and authorities are looking to detain them, according to a government website.
Europol labeled Emotet the “most dangerous malware” on the internet for its widespread use as a “loader,” a type of malware used to spread other, more destructive types of malware, like ransomware. The trojan, which has typically been spread via malicious email attachments, has seen an explosion in use by criminal hacker groups in recent years. By the end of 2020, this usage was wildly out of control—one report showed a 1,200% increase in attacks between the 2nd and 3rd quarter of that year alone.
“The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware,” Europol authorities wrote Wednesday.
Dutch police provided more details on their own website (translated): “The criminal organization behind Emotet distributed the malware through an extensive and complex network of hundreds of servers. Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay.”
The large police operation wasn’t the only bad news for cybercriminals on Wednesday, however. Not long after the Europol announcement, a notification reportedly appeared on the dark web site typically run by the Netwalker ransomware gang: “This hidden site has been seized by the FBI, as part of a coordinated action by law enforcement against NetWalker ransomware,” the page now reads, according to Bleeping Computer.
Netwalker emerged in 2019 and became one of the most popular ransomware-as-a-service offerings on the dark web. Created by the threat group “Circus Spider” (they are believed to be a member of the larger cybercrime group “Mummy Spider”), the malware has been known for its use in spamming schemes as well as in “Big Game Hunting” operations—attacks in which threat actors target larger, more prominent institutions with high-value data in order to spur a bigger payout.
U.S. and European authorities have not yet released an official statement about the site’s seizure, nor confirmed it.
Update 3:40 PM ET, Jan. 27: The Justice Department on Wednesday afternoon confirmed police action against NetWalker. A Canadian national has been charged in connection with the criminal operation, its site has been disabled, and certain assets related to the criminal activity have been seized:
This week, authorities in Bulgaria also seized a dark web hidden resource used by NetWalker ransomware affiliates to provide payment instructions and communicate with victims. Visitors to the resource will now find a seizure banner that notifies them that it has been seized by law enforcement authorities.