Site navigation

Goodbye Emotet | Notorious Botnet Permanently Deleted

Michael Behr



Emotet was one of the most prolific botnets in the cybercrime ecosystem, and had been used to deliver high-profile attacks.

Emotet, one of the largest botnets used by cybercriminals, was permanently deleted by police officers on April 25th

In January, it was disrupted as part of a major operation that involved Europol coordinating police forces from the UK, US, Germany, and the Netherlands. In Ukraine, police arrested two people accused of being behind the botnet’s infrastructure.

After its infrastructure was seized, police gained control of the botnet. Once in control, they redirected infected machines towards law enforcement-controlled infrastructure, in what Europol said was a new approach to disrupting the cybercrime.

On Sunday, Europol personnel updated the botnet with EmotetLoader.dll, a file that erased the malware from all infected machines around the world. It removed the run key from the Windows registry of infected devices, preventing Emotet modules operating on an infected computer from starting automatically when the device boots up. Meanwhile, the servers controlling Emotet were terminated.

The delay between its initial takeover and deletion allowed security professionals to search out any potential Emotet infections. It also allowed law enforcement more time to seize evidence related to the botnet.

Emotet was one of the most prolific botnets in the world. It was spread onto computers, generally, through malicious email attachments. Once infected, the fully automated botnet could then spread itself to other computers. From there, command and control (C2) servers could be used to send it updates and additional malware.

It was estimated to have been operating on over one million machines around the world.

In addition, the botnet’s operators offered access to Emotet as part of a ‘malware as a service’ business model. Cybercriminals could pay to use the botnet to deliver malicious payloads, such as ransomware or data scrapers, onto infected computers.

Amongst the malware attacks dropped by Emotet were the Ryuk ransomware, Qakbot banking trojan, and a similar botnet, Trickbot.

However, the removal of Emotet will not remove any malware the botnet may have been used to install.

A 2018 US Department of Homeland Security report said that Emotet had cost various governments in the country $1 million per incident to resolve. It was estimated to have earned its operators around $2 billion over its seven-year lifespan.


Botnets have proven difficult to remove from the internet. In October last year, Microsoft was able to disrupt major botnet Trickbot. The company teamed up with global telecoms providers and US legal system to identify Trickbot’s infrastructure and legally disable its IP addresses.

However, even this coordinated attack was only able to disrupt it for a matter of months. By February this year, it had replaced Emotet as the top threat on Check Point’s Global Threat Index.

As such, while the Emotet disruption is a major victory in the battle against cybercrime, and provides a firm blueprint for further operations, the cybercriminal ecosystem is resilient and adaptable. There is always another venture waiting to fill the gap left behind by Emotet.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: