In November, 10 months after an international working group shut down Emotet’s servers and infrastructure, the botnet went back online.
The new Emotet spread malware through a large number of Spanish messages in the second half of this month. It consists of two botnets that use different communication encryption and additional commands. The previous version was removed in January. At the time of deletion, the threat accounted for 7% of global organization attacks and frequently sent malware or ransomware to 1.6 million machines compromised by attackers.
Emotet’s revival highlights indicate that many botnet deletions lack durability. David Monnier, a researcher at threat intelligence company Team Cymru, said that with the revival of TrickBot in 2020, the revival of Emotet shows that industry and government agencies should seriously consider whether the strategy needs to be reviewed or revised.
“This is a very effective question that we should ask, just like we do anything: if you don’t get the results you want, you should [you] Is it doing something different? He said. “Are we getting better, or this [the movie] ‘Groundhog Day’? “
Temporary interruption
More than ten years ago, Microsoft took the lead in using legal measures to allow private companies to ban botnets. After many demolitions, multi-organizational efforts — now usually involving law enforcement and private industry partners — usually only temporarily disrupt the botnet infrastructure. For example, the operators of Trickbot began to restore the network within a few weeks after the initial shutdown.
In Emotet’s case, the removal resulted in a 10-month outage, during which time the botnet operators seemed to have made changes, such as not using cybercrime services more and more to handle some infections and payloads. Chain, said Scott Scheferman, chief network strategist at firmware and hardware security company Eclypsium.
“These actors have strong adaptability and a lot of money. Therefore, they can adapt easily,” he said. “They are returning to the trinity of distribution, Trickbot loader and ransomware delivery. They are focusing on restoring themselves rather than using everything as a service.”
The fundamental problem for defenders is that although the infrastructure may be destroyed, the people behind the attack—usually protected by complicit states with free cybercrime laws—are not restrained and are still able to work to rebuild their malicious distribution The internet. Although the focus of the United States and other countries is to take more aggressive measures to curb cybercrime. In general, ransomware is especially helpful, but the profits of cybercrime are too high and many groups cannot cut their business.
Michael DeBolt, chief intelligence officer of threat intelligence company Intel 471, said: “Many of these mature actors have become prolific-Emotet and REvil-they are indeed out of reach in the West. Carry out an activity.” and added that these disadvantages will not make the activity unworthy. “However, from a higher level, it is clear that sabotage against complex groups should not only be the goal of law enforcement agencies, but also the goal of private industry groups.”
He added that in addition to dismantling the infrastructure of specific participants, focusing on identifying and destroying critical criminal infrastructure—such as bulletproof hosting—may also bring more long-term benefits. For example, in 2011, researchers found that 95% of the sales revenue of spam advertising products was handled by about 12 banks, which enabled financial authorities to crack down on a wide range of criminal groups.
Defenders and government officials need to identify similar key points in the current cybercrime landscape.
“It boils down to really identifying the pain points that can increase the time, money, and energy required by cybercriminals to conduct business,” DeBolt said. “If we identify the server or the back-end infrastructure and take it down, we will see that, well, it does not completely cut off the snake’s head, but it causes them to retreat slightly and re-adjust, then it’s time, Money and hard work to serve them.”
Keep working hard
Some demolition work has been successful. The removal of the Necurs botnet, which acts as a distribution platform for other malware, such as GameOver Zeus and Trickbot, seems to have largely worked. After Microsoft and Bitsight took the lead in deleting, the botnet basically disappeared in March 2020. The botnet has been silent and returned before.
Nevertheless, many attackers will still learn from such behaviors and return to improve their tactics, techniques, and procedures (TTP). Fortunately, defenders and law enforcement personnel have also become more efficient in combat operations, said Monnier of the Cymru team. He said that although the current balance seems to benefit the attacker, if the sabotage takes less time for the defender to complete, and the attacker needs more time and energy to recover, then temporarily shutting down the server and infrastructure will be worthwhile Yes, he said.
The former US Marine said that there may not be a panacea or a single incident that can undermine these efforts, but continued efforts will continue to put pressure on the group and reduce the profitability of cybercrime.
“We have a saying in the Marine Corps: You can choose between the pain of discipline or the pain of regret,” Monnier said. “We must take the same approach, with the same tenacity. As long as we make it harder for them, we must do this.”
