In an operation dubbed Operation Ladybird (a hat tip to the Emotet tracking group Cryptolaemus), the prolific and dangerous Emotet botnet has been dismantled. This operation saw cooperation between police in the US, Netherlands, Germany, the UK, France, Ukraine, Canada, and Lithuania. Based on reports from Ukrainian and Netherlands law enforcement, investigators seized upper tier servers for the botnet. According to the Eurpol press release, “law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.” This is an important technical technique that prevents victim computers from suffering further harm from Emotet.
Following the published reports, Dutch LEA have also released a tool called “Emotet Checker”, which anyone to search the database of compromised email accounts by submitting their own email address to a website. If the email exists in the stolen dataset, the victim will receive an email, sent to the address they queried, that confirms that Emotet’s servers had that email address and a password in its database.