Emotet Malware Taken Down By Global Law Enforcement Effort, Cleanup Patch Pushed to 1.6 Million Infected Devices
Friday, April 30, 2021
The Emotet botnet, widely considered to be the most dangerous of its type in the world, has been dissolved as of April 25. An international law enforcement campaign that began in 2020 culminated in the infiltration and control of the botnet’s infrastructure, with a beneficial payload delivered to infected devices that scrubs the Emotet malware from their systems.
Law enforcement removes a substantial online threat
Pushing a background payload in order to disable the Emotet malware is a potentially problematic solution from a legal standpoint, but some law enforcement agencies (such as the US Department of Justice) are pointing out that their own government is not involved; the malware servers are now under the control of the German federal police agency. Ilia Kolochenko, Founder and Chief Architect for ImmuniWeb, points out that this sets a precedent that could potentially move in dangerous directions: “If viewed in as an isolated event, this is a laudable and highly successful operation of law enforcement. However, privacy advocates may sooner or later start questioning such anti-malware operations in cyberspace as potentially intrusive and unwarranted. There are also some chances that removal may damage the infected system due to some unforeseeable circumstances, such as unique or unusual configuration of the compromised machine. Where I see the risk is that hostile nation states may follow the US and EU example and deploy massive cleaning operations in the Internet that would be difficult to monitor and control. Attribution of hacking attacks, disguised as cleaning campaigns, will become almost impossible from technical and legal viewpoints.”
Malware researchers found that the update (a customized DLL file named “EmotetLoader.dllsent”) deletes Emotet’s autorun registry keys and associated Windows services but does not touch anything else on the device, including any other types of malware that might be present. The US has established some precedent for unauthorized law enforcement remote access for the purpose of malware removal, however; the FBI received a court order earlier this month allowing it to remotely remove web shells from Microsoft Exchange servers as part of the response to the email vulnerabilities discovered earlier this year. It was the first time that a US government or law enforcement agency had accessed private computer property for the purpose of malware remediation. Read Full Article
Infosecurity Magazine: Ransomware Task Force Urges Tighter Crypto Regulation
IT World Canada: Task force calls for international action against ransomware