On April 25, law enforcement agencies delivered an update that triggered an uninstall process to roughly one million computers, allowing them to be free of the Emotet malware.
Emotet, one of the most common threats in the last five years, began as a banking Trojan in 2014 and developed into a malware downloader used by many cybercriminals to spread different payloads.
TrickBot, Ryuk, and the QakBot banking Trojan are among the most well-known malware families spread via Emotet, but many others have relied on the vast network of approximately one million compromised machines to deliver malicious files.
Authorities declared in January 2021 that they had seized Emotet’s servers and disrupted its infrastructure, effectively shutting down the botnet’s operations.
Simultaneously, the Dutch police began distributing an update to contaminated computers in order to quarantine the infection. On April 25, several lines of code were added to the update to instruct the malware to uninstall itself automatically.
The uninstall command cleans up the Windows registry key that allows the Emotet modules to run automatically, as well as stopping and deleting related services, but it leaves other files alone, as well as any additional malware that might have been installed via the botnet.
Other botnets are expected to try to fill the vacuum left by Emotet’s demise, and security researchers have already seen an uptick in activity associated with the BazarCall and IcedID malware variants.
“While the removal of Emotet is a major victory for everyone but cybercriminals, attempts to replace it with malware like BazarCall and IcedID show that cybercriminal organisations are becoming more coordinated, ambitious, and professionalised. This will almost certainly continue in the future; the issue is not limited to Emotet,” says Digital Shadows, a digital risk management firm.