On January 27 and 28, 2021, the U.S. Department of Justice (DOJ) announced two successful operations to disrupt two different strains of malware, Netwalker ransomware and a banking Trojan known as Emotet, which have affected victims around the globe and caused millions of dollars in damage in recent years.
The law enforcement actions against Netwalker and Emotet are the latest examples of successful cooperation between international governments in fighting cybercrime that transcends borders, as the U.S. partnered with Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden, and Ukraine to disrupt the Emotet botnet, and Bulgarian authorities assisted with the operation against Netwalker The DOJ announcement regarding Emotet notes that, “Now, more than ever, international collaboration is an imperative… This investigation will be a paradigm of effective international law enforcement cooperation directed at global cybercrime.” Below we highlight key aspects of each operation.
On January 27, 2021, the DOJ announced charges against a Canadian individual in relation to Netwalker ransomware attacks allegedly involving the extortion of tens of millions of dollars. The DOJ also announced that the law enforcement operation involved the seizure of approximately $500,000 in cryptocurrency from ransom payments and the dismantling of a dark web resource allegedly used to communicate with ransomware victims. Bulgarian authorities were able to seize the dark web hidden resource, and web visitors will now find a banner notifying them that the site has been seized by law enforcement.
Netwalker is one of the most common strains of ransomware and has affected victims in a variety of industries. The DOJ notes that attacks have specifically targeted the healthcare sector during the COVID-19 pandemic. Netwalker is frequently cited as an example of ransomware-as-a-service. According to the DOJ announcement, Netwalker “developers” create and update the malware, while “affiliates” conduct the actual ransomware attacks. If a victim pays a ransom, the payment is split between the two groups.
On January 28, 2021, the DOJ announced it had taken part in a multinational effort to dismantle the infrastructure behind the Emotet botnet and malware, which according to the DOJ has caused hundreds of millions of dollars in damage worldwide.
According to the FBI’s application for a search warrant for certain servers associated with Emotet activity, administrators of the Emotet malware use a system of tiered servers to distribute the malware and communicate with infected computers. As part of the international effort to disrupt the botnet, foreign law enforcement agents gained access to servers being used to distribute the malware, and through such access, were able to identify the IP addresses of approximately 1.6 million computers that were infected between April 1, 2020 and January 17, 2021. Of those, over 45,000 infected computers appeared to be located in the U.S.
According to the FBI’s warrant application, on or about January 26, 2021, foreign law enforcement agents working with the FBI replaced Emotet malware on certain servers with a file created by law enforcement, which was then sent out to affected computers as an update. This law enforcement file prevented the administrators of the Emotet botnet from communicating with infected computers.
Emotet malware primarily infects victims through spam messages carrying malicious links or attachments, and once a computer is compromised, the computer becomes part of the Emotet botnet. Emotet is frequently used as a “dropper” or “loader” for other malware, meaning criminals can use Emotet to deliver additional malware, such as ransomware or credential-stealing malware.
Emotet has been one of the most destructive strains of malware since it was first discovered in 2014. In 2018, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert on Emotet, warning entities about some of Emotet’s particularly sophisticated characteristics. As a modular banking Trojan, Emotet can evade typical signature-based detection and has several methods for maintaining persistence as it attempts to spread laterally through local networks.