FBI, Partners Disarm Emotet Malware

Global law enforcement and private sector take down a major cyber crime tool

The FBI worked alongside foreign law enforcement and private sector partners in an innovative, coordinated effort to take down a destructive malicious software, or malware, known as Emotet.

First observed in Europe in 2014, Emotet expanded its reach over the years and was behind millions of costly cyberattacks across the globe. The FBI opened its first related investigation when a North Carolina school district was compromised by Emotet in 2017.

“The Emotet malware has evolved substantially since it was first observed by industry,” said Special Agent Jessica Nye, the cyber squad supervisor in the FBI’s Charlotte Field Office. “It became increasingly stealthy in its ability to gain access to your computer, which then opened the door to additional malware.”

Usually delivered through an infected email attachment or link, the nimble and ever mutating code was able to slip past most virus detection software. Once it was installed, it allowed criminals to load additional damaging software onto a computer. In some cases, that additional malware was a banking trojan that recorded online banking credentials and then stole from victims’ accounts. In other cases, Emotet allowed the installation of malware that enabled a ransomware attack.

The FBI has seen Emotet hit nearly every sector within the U.S.—paralyzing school systems, small and large businesses, non-profits, government services, and individuals. “Emotet did not discriminate,” Nye said.  
Even if a victim of Emotet avoided a ransomware attack or direct financial loss, the disruptions and expense of remediating the infection were substantial. “Victims incurred substantial monetary costs to effectively clean compromised machines,” Nye stressed. According to the U.S. Cybersecurity and Infrastructure Security Agency, Emotet infections cost local, state, tribal, and territorial governments up to $1 million per incident to remediate.  
Last week’s global action allowed law enforcement to dismantle the foundational components of Emotet’s operation—taking down multiple layers of infrastructure located around the world. “Through the combined efforts of the incredible FBI team, foreign partners, and private sector partners, the command and control network of Emotet was significantly impacted,” Nye said. “To recreate this botnet, the criminals would have to rebuild from scratch.”  
The unprecedented effort closed off the access this malware had opened to millions of machines. “When you can take out the delivery arm of all these countless pieces of malware, it means greater protection and limiting the ability of cyber criminals to get onto machines throughout the globe,” Nye explained.

The FBI identified more than 45,000 computers and networks in the United States that had been recently affected by Emotet malware. “The Emotet malware on those machines is no longer harmful to those it infected,” Nye reassured.

The cyber strategy the FBI released in 2020 prioritized efforts to impose greater cost and risk to cyber criminals—relying on strong partnerships across every industry and around the world to do so. Nye said that the action on Emotet shows how the FBI can use its insight, expertise, and global reach to make an impact.

“The beauty of the FBI and our partnerships across the world is that they create remarkable opportunities to achieve a disruption,” Nye said. “It can mean finding new techniques like this one that targeted the infrastructure behind the malware.”

“The Emotet malware has evolved substantially since it was first observed by industry. It became increasingly stealthy in its ability to gain access to your computer, which then opened the door to additional malware.”

Jessica Nye, special agent, FBI Charlotte

While the threat posed by Emotet is now diminished, there are other malware strains that are active, and more threats are to come.

The best way to avoid malware is to exercise extreme caution online. Be wary of every link and every attachment. Nye said that the Emotet malware was distributed through phishing or spearphishing emails, but once it was on a computer, it could use more sophisticated techniques to infect other machines.

One of those techniques is called email thread hijacking. Say you are communicating with a dozen colleagues about an upcoming meeting via email from an infected computer. The cyber criminals could monitor your inbox and send a message to everyone on that email chain with a document that would make perfect sense—such as a draft agenda. Each person on that email chain could then unknowingly download the malware when they open that document. “You really have to question every attachment,” Nye said.

Emotet deployed topical messages as another way to entice computer users to click. Messages with links pertaining to the 2020 election and information about COVID-19 have been effective lures in the last year.

It is important for you to report malware when you discover it. The FBI can support affected organizations as they deal with a cyber intrusion, and every reported incident helps investigators build insight into current cyber methods.

“There is a backbone of global law enforcement and private sector partners that are investigating this and working on getting the full landscape and site picture of malware,” Nye said. “You could be that piece that we’ve been missing.”

Victims can also report malware and other online crimes and scams the Internet Crime Complaint Center at ic3.gov. And take a moment to learn more about how to protect yourself from common online crimes and scams.

A Worldwide Effort

The FBI worked with law enforcement in seven other countries to carry out the Emotet takedown.

Our partners at Europol issued additional information about this effort. 

Learn more