- The removal of all Emotet payloads is scheduled for Sunday, so this is your last chance to probe networks.
- A few months have passed since the Emotet takedown, and it seems that it’s final and irreversible.
- Directly linked malware families have had their ups and downs as the field adjusts to the new reality.
When an internationally coordinated law enforcement operation took down the most crucial “Emotet” botnet infrastructure in January 2021, the deadline for its final removal was set to March 25, 2021. This was eventually pushed further by one more month, allowing more time for the system admins to figure out all the possible subsequent infections and secondary payloads that the malware may have deployed. With three days left until the final uprooting takes place, Digital Shadows takes a dive into the matter and “decodes” its importance.
First of all, shutting down Emotet’s infrastructure means a massive-scale malicious operation that has brought the crooks over 2 billion USD comes to an end. This was one of the biggest botnets out there, so a vacuum is inevitably created. Digital Shadows investigators report that starting in March 2021, there’s a notable uptick in the deployment of BazarCall and IcedID.
In the meantime, the delivery of TrickBot, Ryuk, and the QakBot banking trojan has suffered a blow, and these families will have to work with other distribution platforms if they are planning to continue, and it seems that they are. MaaS are too lucrative to see them go away completely, so nobody is expected the Emotet takedown to have such groundbreaking effects in the industry.
At this point, the security world is in a dual state comprising of a celebratory and a cautionary leg. After all this time, it is clear that Emotet is dead and not coming back. The key people were arrested and the crucial infrastructure was taken down, so this constitutes a reason for celebration. On the other side, and no matter the humongous size of Emotet, it is really just a drop in the ocean of online threats. Taking down these entities always has a notable impact, but it’s surely temporary.
And as for the admins of the potentially compromised systems, you have until Sunday to run your scans. On that day, the final update in the form of “Emotetloader.dll” will be delivered, removing the Windows registry key and terminating all running processes on the infected servers. If you fail to find what other malware may have been introduced to your systems through Emotet by then, it will be harder to figure it out afterward. Thus, this is your last window of a unique opportunity.