← Back to Blog
Malware

‎Authorities Plan to Mass-Uninstall Emotet on April 25

‎Authorities Plan to Mass-Uninstall Emotet on April 25

The world's largest malware network will be wiped out in April following today's planned coordinated takedown and cleanup operations.

Law enforcement officials in the Netherlands (EUROPOL) are in the process of pushing an Emotet update that will remove the malware from all infected computers on April 25, 2021.

The update was made possible after law enforcement agencies from eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered the world's largest malware network today.

While the servers were located across several countries, Dutch officials said that two of Emotet's primary command-and-control (C&C) servers were located within their borders.

Dutch police officials said today that they used their access to these two crucial servers to push a boobytrapped Emotet update to all infected hosts.

According to public reports from two cybersecurity firms that have historically tracked Emotet's operations, this update contains time-bomb-like code that will uninstall the Emotet malware on April 25, 2021, at 12:00, local time on each machine.

All Emotet epochs now are delivering the payload ([https://t.co/Tv21VmJm4s](https://t.co/Tv21VmJm4s)) which has the code to remove Emotet on 25 March 2021 12:00. I believe that [#Emotet](https://twitter.com/hashtag/Emotet?src=hash&ref_src=twsrc%5Etfw) [#Killed](https://twitter.com/hashtag/Killed?src=hash&ref_src=twsrc%5Etfw) [pic.twitter.com/FnrdqZmQcd](https://t.co/FnrdqZmQcd)

— milkream (@milkr3am) [January 27, 2021](https://twitter.com/milkr3am/status/1354459859912192002?ref_src=twsrc%5Etfw)

LAST CHANCE TO AUDIT NETWORKS

The technical disruption that Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet

Government cybersecurity experts described in an interview conducted by Pargman
It forces the threat actors behind it to start over and attempt to rebuild from scratch, and gives IT staff at companies around the world the opportunity to locate and remediate their computers that have been infected

Pargman added.

Currently, the Europol takedown is preventing the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known to employ.

But Emotet hosts where cybercriminal gangs have already purchased access remain at risk.

Pargman is now urging companies to take advantage of this time window until April 25 to investigate internal networks for the presence of Emotet malware and determine whether other gangs used it to deploy additional threats.

After Emotet is uninstalled on April 25, such investigations will be much harder to carry out.

ARRESTS IN UKRAINE

Since the early Emotet takedown, Ukrainian police officers have also come forward to announce that they arrested two individuals they believe were tasked with keeping Emotet's servers running.

A video of the arrests and apartment searches is available below.