Law enforcement officials are taking another stab at taking down Emotet.
For years cybercriminals have used Emotet, a botnet or a network of infected computers, to spread ransomware such as Ryuk and other malware around the world. The activity has caught the attention of law enforcement officials around the world who have helped countless victims respond to these kinds of infections.
But over the weekend authorities sent a specially crafted file to infected devices that is meant to make it so Emotet is no longer run automatically on infected machines. The action is intended to make it so Emotet’s persistence mechanism is removed and disrupt any existing infections, according to security researchers at Malwarebytes.
It’s the last step of an operation targeting Emotet that law enforcement authorities from around the world launched earlier this year. U.S. and European authorities said in January they had taken control of the botnet’s computing infrastructure and arrested several of its operators.
It’s unclear if this action will keep Emotet at bay for good, as botnets have proved resilient in the past. Botnets typically are able to rebuild after takedown operations — TrickBot, a botnet that Microsoft and The Department of Defense’s Cyber Command targeted last year, has resurfaced in recent months.
Authorities have to keep on top of Emotet in part because Emotet operators have usually resorted to breaks between campaigns in order to retool, which could make the recent interruption not much more than a temporary setback, according to security company Redscan.
“Historically, Emotet’s operators used long breaks in activity to improve their malware,” Redscan said in a blog post. “This means there is a realistic possibility that Emotet’s operators will use this opportunity to make the loader malware even more resilient, for example, by using polymorphic techniques to counter future coordinated action. They could also use the Emotet source code to branch off and create smaller, independent botnets.”