Cybercops Derail Malware Botnet, FBI Makes Ransomware Arrest

January 28, 2021 Updated: January 28, 2021

THE HAGUE, Netherlands—European and North American cyber cops have joined forces to disrupt what may be the world’s largest network for seeding malware infections. The operation appears to strike a major blow against criminal gangs that have used that network for years to install ransomware for extortion schemes and to steal data and money.

Separately, the FBI announced the arrest Wednesday of a Canadian as part of a bid to disrupt a ransomware gang that has targeted the health care sector, but has also hit municipalities, law enforcement and school districts, mostly in the United States. The FBI said it seized nearly half a million dollars in cryptocurrency.

European Union police and the judicial agencies Europol and Eurojust said Wednesday that investigators took control of the infrastructure behind the botnet known as Emotet. A botnet is a network of hijacked computers typically used for malicious activity; this one has effectively served as a primary door-opener for cybercriminals since 2014.

“This is a really big deal,” said Allan Liska, an analyst with Recorded Future. “Emotet was one of the largest, if not the largest, botnets delivering a wide variety of malware. Their botnet consisted of hundreds of thousands compromised hosts which were used to send more than 10 million spam and phishing emails a week.”

The Emotet model of recent years was “a game changer for ransomware gangs who otherwise rely on other access methods,” said Jake Williams, president of Rendition Infosec, another cybersecurity firm.

Emotet has allowed ransomware gangs to skip the the initial step of penetrating computer networks and instead focus on sowing malware that has crippled networks at Western governments, health care systems and educational institutions. This ransomware scrambles data at the targets, who can only get a decoding software key after paying up. Victims who don’t pay risk having the hackers expose their data publicly.

Williams said via text message that although someone will eventually fill the gap, “there’s no question that this will hurt (attackers) and help defenders in the short/mid term.”

Authorities in the Netherlands, Germany, the United States, the U.K., France, Lithuania, Canada and Ukraine took part in the international operation coordinated by the two Hague-based agencies.

Dutch prosecutors said the malware, run out of eastern Europe by a Russian-speaking organization, was first discovered in 2014 and “evolved into the go-to solution for cybercriminals over the years.” It’s been responsible for hundreds of millions of dollars in losses beginning with financial theft. They said two of the main servers for the infrastructure were based in the Netherlands and a third in an undisclosed country.

The Emotet botnet was effectively used to manage the infection of victims and provide a distributed bulwark against takedown attempts by authorities. Law enforcement agents disrupted Emotet by routing its command-and-control infrastructure to servers they controlled, cutting off criminals from their quarry.

Europol said the law enforcement agencies’ approach was “unique and new.”

Later Wednesday in Washington, the FBI announced an attempt to disrupt NetWalker, a relatively new ransomware strain authorities say was used to extort tens of millions of dollars. According to ransomware expert Brett Callow of the cybersecurity firm Emsisoft, NetWalker’s victims include Michigan State University, the Champaign-Urbana Public Health District in Illinois, the College of Nurses of Ontario and the medical school of the University of California at San Francisco, which paid a $1.1 million ransom.

An FBI spokesman said Sebastien Vachon-Desjardins of Gatineau, Quebec, was arrested in the scheme. In a statement, the agency said cryptocurrency worth $454,000 in ransomware income was seized. An indictment unsealed Wednesday said Vachon-Desjardins took part in a scheme to extort an unnamed Tampa, Florida, business. The U.S. will be seeking Vachon-Desjardin’s extradition, according to Justice Department spokesman Joshua Stueve.

Earlier this week, authorities in Bulgaria took down a dark web site that NetWalker used to communicate with its victims, the FBI statement said.

The cryptocurrency intelligence firm Chainalysis said NetWalker, which first appeared in August 2019, was among the world’s top five ransomware strains last year. It has extracted more than $46 million in ransoms from more than 300 victims in 27 countries, mostly in the United States, Chainalysis said.

Callow said it was too early to say how big of an impact the arrest would have on NetWalker, which is run by Russian speakers who lease the “ransomware-as-a-service” to criminals who conduct attacks. He said he was not aware of the group using Emotet for distribution.

The Emotet and NetWalker operations build on an effort by Microsoft late last year to disrupt a different botnet known as Trickbot that was also used in ransomware attacks. The U.S. National Security Agency was also reported to have tried to take down Trickbot.

Costin Raiu, research director at the cybersecurity firm Kaspersky, said the Emotet takedown “should impact other cybercriminal groups’ ability to maintain and grow their botnets. It remains to be seen if they will be able to stage a comeback, be it either as Emotet, or perhaps merge with another group and continue from there.”

Emotet’s malicious “door-opening” software for taking over target computers was delivered in infected email attachments containing Word documents. Dutch prosecutors said different lures used to trick unsuspecting users into opening those attachments included invoices, shipping notices and COVID-19 information.

By Mike Corder and Frank Bajak