Emotet, the email-based Windows malware behind numerous botnet-driven spam campaigns and ransomware attacks, was automatically deleted from infected computers following a European law enforcement operation.
The development came after three months of coordinated disruption of Emotet as part of “Operation Ladybird” to seize control of servers used to run and maintain the malware network.
Due to the operation, at least 700 servers associated with the botnet’s infrastructure was made ineffective from the inside, thus preventing further exploitation.
The law enforcement authorities from the Netherlands, Germany, the U.S., U.K., France, Lithuania, Canada, and Ukraine were involved in the international action.
Earlier, the Dutch police stated that it had deployed a software update to counter the threat posed by Emotet effectively. All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined.
This involved pushing a 32-bit payload named “EmotetLoader.dll” via the same channels that were used to distribute the original Emotet to all compromised machines. The cleanup routine, which was set to trigger itself automatically on April 25, 2021, worked by removing the malware from the device, in addition to deleting the autorun Registry key and terminating the process.
Now, the cybersecurity firm Malwarebytes confirmed that its Emotet-infected machine that had received the law enforcement payload had successfully initiated the uninstallation routine and removed itself from the Windows system.
At present, the Abuse.ch’s Feodo Tracker shows that none of the Emotet servers are online.