Police Take Dangerous' Emotet Botnet and NetWalker Ransomware Sites

Police Take Dangerous' Emotet Botnet and NetWalker Ransomware Sites

Police agencies around the world, including the RCMP and FBI, say they have crippled one of the worst malware distribution networks by seizing the infrastructure behind the Emotet botnet.

In addition, US officials say the distribution of networker ransomware has also been disrupted. This includes charges against Canadians and the forfeiture of approximately $ 454,530 in cryptocurrency from ransom payments.

According to an indictment released today in Florida, Sebastian Vachon-Desjardins of Jatinue, Ky., Is alleged to have received at least US $ 27.6 million as a result of the offenses listed in the indictment.

Imotate Control Server in Canada

In a statement on Wednesday morning, the RCMP said 13 of the 50 command and control servers were located in Canada behind Emotet.

The week-long operation involved officials from the Netherlands, Germany, United Kingdom, France, Lithuania and Ukraine.

UPDATE: The ZDNet news service reports that law enforcement officials in the Netherlands are expected to deliver an update via the captured Emotet server that will erase any malware distributed via botnet on 25 March.

It was later clarified by Malwarebytes that the removal code would be executed on 25 April.

According to the Europol Police Cooperative, law enforcement and judicial officers gained control of the Amotte infrastructure and "took it down inside" using a unique and new approach.

"Amotate is one of the most professional and long-lasting cyber crime services," Europol Police Cooperative said in a statement. First discovered in 2014 as a banking trojan, malware evolved over the years as a solution for cybercriminals. The Emotet infrastructure essentially served as a primary gateway to computer systems globally. Once this unauthorized access was established, these were sold to other top-level criminal groups to deploy more illegal activities such as data theft and extortion through ransomware. "

According to RCMP, Emotet infected more than 1.7 million computers in 226 countries, including 6,000 in Canada. It is estimated that malware is the foundation for 60 percent of cyber attacks and acts as a digital precursor to a wide range of other extremely harmful malware, making it one of the most important current digital threats.

Emotet was a polymorphic threat, meaning that every time it was called, it changed its code.

Netwalker also goes down

The NetWalker ransomware group has also been killed by the police. According to online security researchers, anyone visiting the NetWalker Web site, where he lists his victims, is greeted with a sign that says, "This hidden site was seized by the Federal Bureau of Investigation have taken. The action is carried out in coordination with the United States Attorney's Office for the Middle District of Florida and with the Computer Crime and Intellectual Property Section of the Department of Justice, organized crime in substantial cooperation with the Bulgarian National Investigative Service and the General Directorate. "

In a January 27 statement, the US Department of Justice confirmed the seizure and said NetWalker frequently attacked the healthcare sector to take advantage of COVID-19 concerns.

Acting Assistant Attorney General Nicholas McCuid said, "We are coming back not only against criminal actors against responsible actors, but against disrupting criminal online infrastructure and increasing extortion threats wherever possible." Criminal Division of the Department of Justice. "Ransomware victims should be aware that coming forward to law enforcement as soon as possible after an attack can have significant consequences such as those achieved in today's multidisciplinary operation."

NetWalker is a ransomware-as-a-service operation that, in addition to installing ransomware, enables data theft to put more pressure on victims to pay. According to Cybercity vendor Varonis, the group (also called Melto by some researchers) has raised more than US $ 30 million in ransom cash since its first significant attacks in March 2020.

Vernis believes that NetWalker was created in 2019 by a group called "Circus Spider". Circus Spider "Mummy Spider" is one of the new members of the Cyber ​​Criminal Group. First, it served as the most ransom strains, establishing an initial footing via phishing email, then exfoliating and encrypting sensitive data to hold hostage for a large ransom. But then, the developers followed the labyrinth group's model and expanded to ransomware-as-a-service, allowing "affiliates" to join their network.

Affiliates are chosen for their experience in the network, their ability to speak Russian (according to Varonis the developers do not accept English speakers), and proof of experience including their ability to hack into quality targets.