Emotet Cleanup Continues As LEAs Mass Sanitize PCs, Share Victim Emails To HIBP

Finally, the notorious Emotet malware has come to an end as law enforcement mass sanitize infected devices globally. This huge operation follows the disruption of the Emotet botnet that happened in later January 2021. Alongside EMOTET cleanup, authorities have shared the stolen email addresses with HIBP for the users.

Emotet Cleanup Via Automatic Mass Sanitization Of Infected Systems

On January 27, 2021, Europol shared details of a huge joint operation involving many countries against the notorious EMOTET. The operation specifically involved the US, the Netherlands, Germany, France, UK, Lithuania, Ukraine, and Canada. Whereas, Europol and Eurojust coordinated the international activity.

During this operation, the law enforcement authorities disrupted the Emotet botnet by taking over the infrastructure from the inside.

Soon after the disruption, researchers observed that a new payload arrived on devices infected with malware.

Shortly, the US Dept. of Justice confirmed that the new file has been rolled out by law enforcement after replacing the malware on Emotet servers.

As scheduled, this payload started its due functionality of EMOTET malware cleanup from infected devices on April 25, 2021.

FBI Shares Email Addresses With HIBP To Alert Victims

Aside from removing the malware, the law enforcement authorities are also taking steps to make the victims aware of the infection. That’s because Emotet has set up a sophisticated botnet involving many devices without even the respective users’ knowledge.

Thus, the FBI shared the data obtained from Emotet infrastructure with Troy Hunt’s “Have I Been Pwned” (HIBP). Regarding this data, Troy Hunt stated in his blog post,

In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown:
1. Email credentials stored by Emotet for sending spam via victims’ mail providers
2. Web credentials harvested from browsers that stored them to expedite subsequent logins

Hence, now, all users can check out their email addresses for possible inclusion in the Emotet database via the HIBP website. Currently, the website marks this database as a “sensitive breach”. That means individuals should verify the ownership of the email address they are checking out via the notification center or should perform a domain search. Hunt has adopted this approach to protect the Emotet victims from further damages.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients