{
	"id": "6f820231-fd36-4e3d-8399-12dc9ef66664",
	"created_at": "2026-04-06T00:16:18.236136Z",
	"updated_at": "2026-04-10T03:30:33.63191Z",
	"deleted_at": null,
	"sha1_hash": "3b79fccb2ac3769472c341b6f0fa5b501714bfb4",
	"title": "Emotet and Trickbot: The Battle of the Botnets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 259508,
	"plain_text": "Emotet and Trickbot: The Battle of the Botnets\r\nPublished: 2021-04-12 · Archived: 2026-04-05 17:53:17 UTC\r\nEmotet began as a banking trojan in 2014 — but from this inauspicious start, it grew to become “the world’s most\r\ndangerous malware” according to Europol, and one of the Cybersecurity and Infrastructure Security Agency’s\r\n“most prevalent ongoing threats.”\r\nThe botnet earned its reputation in a number of ways.\r\nIt was strikingly common. By 2021, Emotet was involved in one-third of malware attacks.\r\nIt was resilient. The botnet was capable of spreading laterally once it had gotten access to just a small\r\nnumber of devices in a network.\r\nIt was targeted. One Emotet module collected a portion of each email in a victim’s inbox, enabling highly\r\ntargeted phishing attempts capable of replying to and quoting legitimate emails.\r\nIt was automated. Once it gained control of a device, it distributed itself to the user’s contacts and\r\nattempted to brute force its way onto any other devices connected over the same network.\r\nAnd in many cases, it was just the beginning. In the SonicWall 2021 Cyber Threat Report, we detailed the\r\nmeteoric rise of Ryuk ransomware. While Ryuk is certainly formidable in its own right (see rapid growth in graph\r\nbelow), a key to its swift success was the leg up it received in the form of Emotet. Emotet was offered for hire to\r\nRyuk operators, who used access already established by Emotet to deploy the ransomware upon networks of those\r\ndeemed valuable targets.\r\nTo compare it to crime in the physical space, consider a group of burglars with plans to rob a bank. What would be\r\neasier: finding a way to break in themselves, or hiring someone on the inside to simply leave a door open?\r\nThe End of Emotet\r\nBut in the end, it was Emotet’s success and versatility that led to its downfall. In response to the rampant\r\nproliferation of the botnet, law-enforcement agencies from at least eight different countries formed a multinational\r\norganization with the goal of disrupting it and taking it down.\r\nIn January 2021, law enforcement and judicial authorities succeeded in gaining control of the servers used by\r\nEmotet. Then, they replaced the Emotet malware on these servers with a harmless file created by law enforcement.\r\nBy preventing new devices from downloading the malware, the spread of Emotet to additional targets was halted.\r\nWhile this disruption will likely prevent a number of infections — some costing more than a million dollars to\r\nmitigate — in the short term, the long-term impact remains much less clear.\r\nAs Fernando Ruiz, Europol’s European Cybercrime Centre head of operations, told ZDNet, “We expect it will\r\nhave an impact because we’re removing one of the main droppers in the market. For sure there will be a gap that\r\nother criminals will try to fill, but for a bit of time, this will have a positive impact on cybersecurity.”\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 1 of 6\n\nHistory Repeating\r\nIt’s possible that, in a best-case scenario, this disruption will eliminate Emotet for good, and have a long-term\r\npositive effect on the amount of malware going forward.\r\nFor an idea of how a worst-case scenario might play out, however, we only have to look back about six months —\r\nto none other than the rumored Emotet heir apparent, Trickbot.\r\nSince its development in late 2016, the operators of Trickbot have successfully infected over a million devices\r\nglobally. As with Emotet, there are a variety of factors that contribute to make Trickbot an oversized threat,\r\nincluding its ever-evolving modular capabilities, ability to infect IoT devices and its proficiency at stealing\r\ninformation.\r\nBut it was Trickbot’s potential to deploy ransomware or DDoS attacks in advance of the 2020 U.S. presidential\r\nelection that presented the most pressing danger.\r\nHoping to prevent a large-scale disturbance in the democratic process, Microsoft obtained a court order allowing it\r\nto shut down Trickbot’s operations. In a joint effort with global telecommunications companies, Microsoft was\r\nable to disable Trickbot’s infrastructure, taking down new servers that Trickbot was attempting to use as\r\nreplacements almost as soon as they went online. The actual operation itself took less than a week, and by October\r\n18, 2020, the vast majority of Trickbot’s critical infrastructure had been disabled.\r\nWhile the takedown was a success in terms of preventing election tampering, this respite wasn’t long-lived: By the\r\ntime the U.S. Electoral College held its confirmation vote in December, Trickbot was already showing signs of a\r\nresurgence. A new version was spotted that included upgraded means of evading detection, along with other\r\nfeatures. And in January, ZDNet reported a malware campaign that “has the hallmarks of previous Trickbot\r\nactivity.”\r\nWill Emotet take a similar path and come roaring back to life? We don’t know yet, but with so much money to be\r\nmade, it certainly isn’t out of the realm of possibility.\r\nIn the meantime, the takedown of Emotet in early 2021 seems to be fueling the ongoing resurgence in Trickbot,\r\nwhich is rising to fill the void left behind.\r\nUntil both are gone for good, the best protection against botnets like Emotet and Trickbot is a sound and proven\r\nsecurity posture, frequent software and firmware updates, and comprehensive cybersecurity awareness. The latter\r\nincludes everyday vigilance and adherence to best practices, along with staying up to date on current trends in\r\ncybercrime.\r\nFor more on Ryuk, Emotet and other malware, download the 2021 SonicWall Cyber Threat Report.\r\nKnow The Threats. Know Your Exposure.\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 2 of 6\n\nDownload the complete 2021 SonicWall Cyber Threat Report to find out how 2020 changed cybercrime forever\r\n— and what you need to do to stay ahead of the latest threats in 2021 and beyond.\r\nREAD IT NOW\r\nSecuring Smart Cities Over Distributed Networks\r\nRe-envisioning distributed community networks using smart end-to-end security and centralized management.\r\nREAD THE BRIEF\r\nHolding Federal Government Agencies for Ransom\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 3 of 6\n\nRecent ransomware attacks on government have become all the more pertinent in light of geopolitical tensions.\r\nThis brief explores known steps you can take to help prevent being a victim.\r\nREAD THE BRIEF\r\nHow to Increase Access and Security for Today's Schools\r\nMobility, cloud apps and emerging threats demand more from today’s next-gen firewall. This brief examines\r\ncritical network security needs for today’s school networks and explores best practices for selecting an effective\r\nnext-generation firewall platform.\r\nREAD THE BRIEF\r\nWhat’s the Best NGFW for State and Local Governments?\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 4 of 6\n\nState and local governments are increasingly dependent on cloud-based apps and mobile connectivity. This brief\r\nexamines critical network security needs for today’s agencies and explores best practices for selecting an effective\r\nnext-generation firewall platform.\r\nREAD THE BRIEF\r\nBest Practices for Global Endpoint Security Operations for MSSPs and\r\nDistributed Enterprises\r\nConcerns, considerations and guidelines for a multi-tenant environment.\r\nREAD THE BRIEF\r\nSecuring IT Ecosystems for Higher Education\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 5 of 6\n\nHigher education and information technology are inseparable. Today's complex higher education IT ecosystem\r\nrequires unified network security.\r\nREAD THE BRIEF\r\nSource: https://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nhttps://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/"
	],
	"report_names": [
		"emotet-and-trickbot-the-battle-of-the-botnets"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b79fccb2ac3769472c341b6f0fa5b501714bfb4.pdf",
		"text": "https://archive.orkl.eu/3b79fccb2ac3769472c341b6f0fa5b501714bfb4.txt",
		"img": "https://archive.orkl.eu/3b79fccb2ac3769472c341b6f0fa5b501714bfb4.jpg"
	}
}