A malware botnet that was used by cybercriminals to infiltrate thousands of companies and millions of computers worldwide has been taken down in an international operation.

The National Crime Agency worked with law enforcement partners across Europe and North America for nearly two years to map the infrastructure of Emotet - a pervasive malware that not only infected computers, but also enabled other malware to gain access and cause significant damage to victim networks.

Europol and Eurojust co-ordinated the operation, which saw the takedown actioned yesterday and searches of properties take place in Ukraine.

NCA investigators led the financial arm of the investigation which included tracking how the criminal network behind the malware was funded, where that funding went and who was profiteering.

Emotet was first discovered as a banking Trojan in 2014 and subsequently gained a reputation amongst the cyber crime community as a key tool to open the door for other malwares and ransomware.

Cybercriminals used Emotet as their first port of call. A botnet would send out emails to unsuspecting victims or companies with the malware either embedded in the email as a downloadable link, or included as a word doc attachment.

When people clicked into the attachments or links, they were prompted to enable content to view the document, but in doing so allowed the malware to install and take hold of their computers.

Emails would often relate to shipping notifications but would also use current events, such as Covid-19 in recent attacks, to entice recipients.

Working with Emotet data, the NCA gained insight of the movement of illicit funds to pay for the infrastructure.

Analysis of accounts used by the group behind Emotet showed $10.5 Million being moved over a two-year period on just one Virtual Currency platform. NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.

Further criminal servers identified by the NCA were also taken offline during the same operation, with at least 700 servers taken down globally with partners.

Nigel Leary, Deputy Director of the National Cyber Crime Unit, said: “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses.

“Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.

“This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically.

“Using our international reach, the NCA will continue to work with partners to identify and apprehend those responsible for propagating Emotet Malware and profiting from its criminality”.

27 January 2021