Written by Sean Lyngaas

U.S. and European law enforcement agencies last week conducted an extraordinary crackdown on Emotet, a botnet of infected computers that has defrauded victims of millions.

The operation involved officials from nine governments, but one move was decisive: Dutch police used their cyber authorities to infiltrate Emotet infrastructure. They slipped a software update onto the servers that cut off communications between infected computers and the botnet, halting its spread.

For the FBI, it was a lesson in how its foreign allies are sometimes better positioned than the bureau to make an arrest or even deploy offensive cyber capabilities. The bureau had tracked Emotet since 2017, when it caused more than $1.4 million in damage to a North Carolina school’s computer systems.

The Department of Homeland Security has estimated that it cost an average of $1 million to clean up after each Emotet incident, though officials were not more specific in how they came up with that figure. An FBI official on Friday suggested the total cost to U.S. victims of the digital crime tool was in the hundred of millions of dollars.

But American agents couldn’t reach Emotet’s sprawling computer infrastructure on their own.

“That’s the reason that partnering with other law enforcement agencies is so important,” a senior FBI cyber official said in a press call Friday. It’s an example of “working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law,” the official said, referring to the Dutch cyber operation.

It remains unclear whether Emotet’s operatives will effectively rebuild their operations. Botnets often survive until their masterminds are in handcuffs, according to experts.

“We aren’t naïve to the fact that there will be attempts to build this infrastructure back up,” said an FBI cyber subject matter expert.

The briefing came as an FBI-led task force issued a fresh warning about the costs of ransomware, noting that a U.S. city spent $9 million rebuilding its computer systems rather than pay a 13-Bitcoin, or $75,000, ransom. The FBI did not name the city, but the amount of the ransom matches public reports on a breach of Baltimore’s computer systems.

FBI personnel overseas

Emotet represents a microcosm of a much larger problem facing U.S. law enforcement.

Ransomware gang use IT infrastructure that spans multiple countries, rendering unilateral police action impotent. State-backed hackers, too, cover their tracks by routing their communications through servers all over the world.

It’s forcing the FBI, through a nascent cyber strategy, to share information with U.S. intelligence agencies or foreign allies earlier in investigations. The goal is to put more pressure on foreign crooks and spies through things like U.S. military cyber operations or economic sanctions.  

Indictments can be a measure of last resort. Unsealing charges against a foreign criminal or intelligence operative can be an implicit acknowledgement that the accused won’t be apprehended anytime soon, a senior Justice Department official has said.

“It is a significant challenge that we face with respect to identifying actors … and then having to work through international channels to be able to levy charges and ultimately affect an arrest,” the senior FBI cyber official said Friday. “Cybercrime is a global problem … and so as a result, we do often run into challenges with actually bringing the subjects to the United States to face charges.”

To that end, the FBI could expand the number of cyber-focused personnel the bureau has at U.S. embassies, Tonya Ugoretz, deputy assistant director in the FBI’s cyber division, has told CyberScoop.

Those legal attachés played a big part in the Emotet takedown, according to the FBI.

“This level of collaboration [with foreign allies] was unprecedented,” the FBI cyber subject matter expert said.