EMOTET and NetWalker Actors Busted on the Same Day

• Two important international law enforcement operations severely disrupted EMOTET and NetWalker.
• While not all members fell into the hands of the police, the groups will have a hard time getting back together.
• Arrests were made in Canada, Bulgaria, and Ukraine, while servers were seized and “cleaning” payloads were sent.

It’s been a dark Wednesday for cybercriminals, as two of the world’s most notorious and dangerous groups were busted in two separate and unrelated law enforcement operations. The first one to fall was EMOTET, the botnet that has been plaguing the internet world since 2014, running three separate botnets under the context of a “malware as a service” platform. On the other case, the NetWalker ransomware group’s operations were disrupted, money seized, and arrests made.

The EMOTET operation was coordinated by Europol and happened in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. The authorities found and seized several hundreds of servers in these countries, so if the operation was focused on just a few locations, the botnet will continue with only minimal disruption. Two arrests were made in Ukraine.

Wow, is that a floppy disk reader on this Emotet server in Ukraine? Also love the soldering iron next to it. pic.twitter.com/Zb7mKcWwdE

— Costin Raiu (@craiu) January 27, 2021

Having taken control of the EMOTET infrastructure, the authorities are sending a “cleaning payload” to the infected machines, set to remove the botnet on March 25, 2021. The reason for the slight delay is to allow the admins of the infected systems to figure out if they have any subsequent infections and secondary payloads deployed through the EMOTET malware.

All Emotet epochs now are delivering the payload (https://t.co/Tv21VmJm4s) which has the code to remove Emotet on 25 March 2021 12:00. I believe that #Emotet #Killed pic.twitter.com/FnrdqZmQcd

— milkream (@milkr3am) January 27, 2021

The importance of this operation is reflected by this comment by Chris Morales, head of security analytics at Vectra:

The NetWalker ransomware group, which recently hit ‘K-Electric,’ the University of Utah, and also ‘Cygilant,’ was also severely disrupted as a Canadian citizen (Sebastien Vachon-Desjardins of Gatineau, who is considered a key person in its operation) was arrested and charged.

The U.S. Department of Justice seized approximately $454,500 in crypto that was collected from ransom payments. The unsealed indictment considers the seized amount to be only a fraction of the total made by the group, which is estimated to be over $27.6 million.

Additionally, the dark web site of the group that was used for instructing victims on how to pay the ransom was sized by the authorities, and a relevant banner is displayed to the visitors. As it became known now, the server’s location was in Bulgaria and was unearthed by the Bulgarian National Investigation Service.