Finally, the notorious Emotet malware has come to an end as law enforcement mass sanitize infected devices globally. This huge operation follows the disruption of the Emotet botnet that happened in later January 2021. Alongside EMOTET cleanup, authorities have shared the stolen email addresses with HIBP for the users.
Emotet Cleanup Via Automatic Mass Sanitization Of Infected Systems
On January 27, 2021, Europol shared details of a huge joint operation involving many countries against the notorious EMOTET. The operation specifically involved the US, the Netherlands, Germany, France, UK, Lithuania, Ukraine, and Canada. Whereas, Europol and Eurojust coordinated the international activity.
During this operation, the law enforcement authorities disrupted the Emotet botnet by taking over the infrastructure from the inside.
Soon after the disruption, researchers observed that a new payload arrived on devices infected with malware.
Shortly, the US Dept. of Justice confirmed that the new file has been rolled out by law enforcement after replacing the malware on Emotet servers.
As scheduled, this payload started its due functionality of EMOTET malware cleanup from infected devices on April 25, 2021.
Today at 1:00 PM, our #Emotet-infected machine that had received the special law enforcement file triggered its uninstallation routine.
More details here: https://t.co/LfdPaNXiFm pic.twitter.com/ewTGpg17Ba
— Malwarebytes Threat Intelligence (@MBThreatIntel) April 25, 2021
FBI Shares Email Addresses With HIBP To Alert Victims
Aside from removing the malware, the law enforcement authorities are also taking steps to make the victims aware of the infection. That’s because Emotet has set up a sophisticated botnet involving many devices without even the respective users’ knowledge.
Thus, the FBI shared the data obtained from Emotet infrastructure with Troy Hunt’s “Have I Been Pwned” (HIBP). Regarding this data, Troy Hunt stated in his blog post,
In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown:
1. Email credentials stored by Emotet for sending spam via victims’ mail providers
2. Web credentials harvested from browsers that stored them to expedite subsequent logins
Hence, now, all users can check out their email addresses for possible inclusion in the Emotet database via the HIBP website. Currently, the website marks this database as a “sensitive breach”. That means individuals should verify the ownership of the email address they are checking out via the notification center or should perform a domain search. Hunt has adopted this approach to protect the Emotet victims from further damages.