“We should start a support group for Emotet fans affected by the takedown” I joked to a fellow security researcher earlier today. I obviously wasn’t a fan of Emotet — the malware was responsible for some really bad things — but I was nevertheless intrigued by it.
Today, a coordinated action seriously disrupted the malware operation. I’ll leave it for future historians to decide whether the term “the world’s most dangerous malware” was justified and whether Europol was right to use the past tense in its infographic, but this was good work. Congrats to all those involved. I am cautiously optimistic this will have a real impact.
Many others are more qualified than I am to discuss Emotet as a malware operation. You may want to read Luca Nagy’s paper that Virus Bulletin published back in 2019, which contains many technical details. But when I was at Virus Bulletin, I spent years looking into Emotet as a spam operation. I have never seen better spammers than Emotet.
Spam is traditionally seen as a problem of volume. In fact, spam volumes have gradually declined over the past decade. The main reason for this is that we have made it harder for spam campaigns to scale. There are still some very large spam campaigns out there, often still pushing things like Viagra and Cialis, but you’ll be excused if you haven’t seen them for quite some time: almost all of these emails are blocked before they even reach the destination mail server, let alone your inbox.
Emotet isn’t the only spam campaign that discovered that smaller email volumes can be more effective. Most malware and phishing campaigns today are orders of magnitude smaller than the very large campaigns from a dozen years ago: what they lose in volume, they more than gain by having far better delivery rates into users’ inboxes. Being less noisy helps to stay under the radar. Spam filters rely heavily on radars.
Emotet was exceptionally good at this. They managed to evade most spam traps and, at least when I was studying its campaigns, relied almost exclusively on compromised infrastructure. So the emails would typically be sent from a legitimate mail server and the payload would be hosted on a legitimate site. There is always a short window of opportunity before such servers are added to blocklists.
They even started using other people’s email bodies: they would send emails as a ‘reply’ to legitimate emails that they had exfiltrated from the inboxes on computers the malware had infected. Not only is this a very clever social engineering trick (“please see the attached document” is a reasonable reply to many emails), it would also help them bypass content filters.
(They did not appear to do any content filtering itself: I have seen a number of emails where the email they replied to was actually spam, such as in this 2019 example.)
Spam is notoriously hard to measure. When speaking to a journalist earlier today, I quoted a 90 per cent block rate by email security products as a ballpark figure for Emotet emails. To put this into context: for ordinary spam campaigns, block rates as low as 99.9 per cent are quite rare these days.
Of course, Emotet wasn’t just good at spamming. It was also good at getting its malware running on many networks around the world. Other than campaigns targeting specific countries or regions, I have never seen Emotet do any kind of targeting. They didn’t need to: their random victims included many big corporations, to whose networks they essentially obtained remote code execution.
This network access was then passed on to other operators, such as Trickbot or various ransomware crews, who did seriously bad things on the networks and made a lot of money doing so. So did they Emotet crew.
I don’t know what will happen to Emotet or the cybercrime landscape in the long run. Emotet has taken long breaks in the past and cybercrime never stopped. I won’t stop now. But it looks like at least for now, Emotet is gone. It was really good at what it did. We shouldn’t celebrate it, but we should learn from it and continue to do so. As Jessica Payne once said in a tweet that I used in several presentations, it will teach us a thing or two about defending against many more targeted and apparently more sophisticated attacks too.
Note: I left Virus Bulletin at the end of 2019. I have only followed Emotet through other people’s reports since. I don’t believe much has changed in the way it operates, but I don’t have first-hand experience analyzing it any more.