Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Emotet infrastructure disrupted after coordinated action

2021-01-29 09:49:36 UTC   |   by Spamhaus Team   |   Category:  takedown, emotet, xbl
Recent News Articles

You can't buy data hygiene

Spamhaus Botnet Threat Update: Q1-2021

Good-bye, Blocklist Removal Center. Hello, IP and Domain Reputation Checker.

Using our public mirrors? Check your return codes now

Emotet is disrupted, but the malware it installed lives on

Emotet infrastructure disrupted after coordinated action

Some attack vectors Spamhaus is observing in early 2021

Update for Composite Blocklist (CBL) Users


Older News Articles:
Spamhaus News INDEX

On Tuesday, Jan 27, 2021, Europol announced that a coordinated group of international authorities has taken control of the Emotet infrastructure.

We congratulate the authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, who collaborated to disrupt this malicious infrastructure's activity and protect the vulnerable. This level of coordination is no mean feat and illustrates what significant change can be brought about when the internet community pulls together.

As part of this effort, Spamhaus is providing remediation data directly to end-users, networks, and national CERTs to assist in the mitigation of this threat.

Steps that can be taken to address an Emotet infection

Reminder: Even if Emotet is disabled the malware it dropped can remain active! Read more in our companion article Emotet is disrupted, but the malware it installed lives on.

INDIVIDUAL USERS: Ensure that the affected computers are running up-to-date antivirus, and perform a full system scan and change all passwords, including:

  • Computer account administration passwords
  • Email passwords
  • Webmasters: change FTP and CMS credentials

CORPORATE NETWORKS: Emotet will deploy ransomware, which encrypts any corporate data. In most cases, this prevents the organization from operating normally and performing its daily business. If notified that an Emotet infection is present, it is safe to assume that one or more computers are infected.

Any client or server running a Microsoft Windows OS must have an up-to-date antivirus installed, and a full system scan should be performed. Logging on firewalls and web-gateways (e.g., web proxies) should be enabled, and administrators should be on the look-out for indicators of compromise (IOC) connected to Emotet. Passwords of all the affected users and any domain administrator or service accounts should be changed.

CHECK AN EMAIL ADDRESS: The Dutch National High Tech Crime Unit has supplied a tool that can be used to see if an email address and its account credentials has been compromised. The data contains e-mail addresses, usernames, and passwords that are in possession of cybercriminals. We really encourage everyone to see if their email was present when the data was seized and to act with speed if it is found to be compromised! The page is in Dutch and English.

CHECK AN IP ADDRESS: As part of this operation, data is being shared with Spamhaus to remediate Emotet infections. To check if your IP address has been observed talking to Emotet infrastructure go to the Blocklist Removal Center and search for your IP address.

This takedown has showed what remarkable results can be achieved with cooperation of public and private sectors. Once again, we want to iterate what a fantastic effort this has been.

Press releases & announcements

Europol: World’s most dangerous malware EMOTET disrupted through global action
German Bundeskriminalamt: In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen
Dutch National Police: Internationale politieoperatie LadyBird: wereldwijd botnet Emotet ontmanteld
United Kingdom National Crime Agency: NCA in international takedown of notorious malware Emotet
United States Department of Justice: Emotet Botnet Disrupted in International Cyber Operation
Ukraine National Police: Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні найнебезпечнішого в світі комп’ютерного вірусу «EMOTET»



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Emotet infrastructure disrupted after coordinated action
http://www.spamhaus.org/news/article/805/emotet-infrastructure-disrupted-after-coordinated-action

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2021 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy