• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

U.S. Takes Part in Multinational Efforts to Disrupt Netwalker Ransomware and Emotet Malware

February 1, 2021 By Emily Poole

On January 27 and 28, 2021, the U.S. Department of Justice (DOJ) announced two successful operations to disrupt two different strains of malware, Netwalker ransomware and a banking Trojan known as Emotet, which have affected victims around the globe and caused millions of dollars in damage in recent years.

The law enforcement actions against Netwalker and Emotet are the latest examples of successful cooperation between international governments in fighting cybercrime that transcends borders, as the U.S. partnered with Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden, and Ukraine to disrupt the Emotet botnet, and Bulgarian authorities assisted with the operation against Netwalker  The DOJ announcement regarding Emotet notes that, “Now, more than ever, international collaboration is an imperative… This investigation will be a paradigm of effective international law enforcement cooperation directed at global cybercrime.” Below we highlight key aspects of each operation.

Netwalker

On January 27, 2021, the DOJ announced charges against a Canadian individual in relation to Netwalker ransomware attacks allegedly involving the extortion of tens of millions of dollars. The DOJ also announced that the law enforcement operation involved the seizure of approximately $500,000 in cryptocurrency from ransom payments and the dismantling of a dark web resource allegedly used to communicate with ransomware victims. Bulgarian authorities were able to seize the dark web hidden resource, and web visitors will now find a banner notifying them that the site has been seized by law enforcement.

Netwalker is one of the most common strains of ransomware and has affected victims in a variety of industries. The DOJ notes that attacks have specifically targeted the healthcare sector during the COVID-19 pandemic. Netwalker is frequently cited as an example of ransomware-as-a-service. According to the DOJ announcement, Netwalker “developers” create and update the malware, while “affiliates” conduct the actual ransomware attacks. If a victim pays a ransom, the payment is split between the two groups.

Emotet

On January 28, 2021, the DOJ announced it had taken part in a multinational effort to dismantle the infrastructure behind the Emotet botnet and malware, which according to the DOJ has caused hundreds of millions of dollars in damage worldwide.

According to the FBI’s application for a search warrant for certain servers associated with Emotet activity, administrators of the Emotet malware use a system of tiered servers to distribute the malware and communicate with infected computers. As part of the international effort to disrupt the botnet, foreign law enforcement agents gained access to servers being used to distribute the malware, and through such access, were able to identify the IP addresses of approximately 1.6 million computers that were infected between April 1, 2020 and January 17, 2021. Of those, over 45,000 infected computers appeared to be located in the U.S. According to the FBI’s warrant application, on or about January 26, 2021, foreign law enforcement agents working with the FBI replaced Emotet malware on certain servers with a file created by law enforcement, which was then sent out to affected computers as an update. This law enforcement file prevented the administrators of the Emotet botnet from communicating with infected computers.

Emotet malware primarily infects victims through spam messages carrying malicious links or attachments, and once a computer is compromised, the computer becomes part of the Emotet botnet. Emotet is frequently used as a “dropper” or “loader” for other malware, meaning criminals can use Emotet to deliver additional malware, such as ransomware or credential-stealing malware. Emotet has been one of the most destructive strains of malware since it was first discovered in 2014. In 2018, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an alert on Emotet, warning entities about some of Emotet’s particularly sophisticated characteristics. As a modular banking Trojan, Emotet can evade typical signature-based detection and has several methods for maintaining persistence as it attempts to spread laterally through local networks.

Filed Under: Cybercrime, Digital Crimes, Enforcement Tagged With: CISA, Department of Justice (DOJ), Emotet, Netwalker

About Emily Poole

Emily Poole is an associate on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • President Biden Issues Executive Order on America’s Supply Chains
  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.