Microsoft has this week sent a warning to customers urging them to remain vigilant following a recent takedown raid on Emotet botnet servers. The Redmond company took down hundreds of servers later last month as part of an ongoing fight against cybercrime.
Despite the takedowns, Microsoft says customers remain at risk and need to keep their security robust. Emotet is a relatively old and solvable trojan that has been around since 2014. However, threat actors have evolved the botnet to become the most dangerous in circulation.
It is used by a threat group known as Mummy Spider (TA542) to deploy other malware types such as Trickbot. Microsoft says its efforts to disrupt Emotet by breaking infrastructure means activity has fallen significantly.
However, the company points out that does not mean the threat has been eliminated:
“Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns,” Microsoft says in a tweet. “Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.”
Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns. Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.
— Microsoft Security Intelligence (@MsftSecIntel) February 8, 2021
Microsoft did another round of targeting Emotet servers during January alongside a wider action run by Eurojust and Europol. Law enforcement agencies from several countries were able to seize servers for the botnet, making it easier to takedown activity.
“Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected,” Germany’s BKA told BleepingComputer.
“An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences.”
Importantly, law enforcement agencies are also rolling out a new Emotet module. It will be available for infected devices and help them uninstall the malware. That new module will be available on April 25, 2021.
So, does that mean the botnet is gone for good? Well, it’s going to be hard for threat actors to resurrect it, but Microsoft’s caution is telling. The company is aware other botnets have been able to come back after similar removal efforts.
Tip of the day:
Whether you’re planning an upgrade, tuning CPU timings, or just curious, it’s handy to know information about your RAM. In our tutorial, we show you how to check RAM speed, type, and size using several built-in Windows 10 tools.