FBI/CISA Alert on Continuing Attacks On Vulnerable Fortinet FortiOS Servers

Advanced persistent threat (APT) actors are targeting vulnerabilities in the Fortinet FortiOS operating system to obtain access to servers to enter networks as pre-placement for follow-on data exfiltration and information encryption attacks.

In the latest Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency notified end-users of the Fortinet FortiOS to promptly employ patches for three vulnerabilities, monitored as CVE 2020-12812, CVE 2019-5591 and CVE 2018-13379.

Patches were introduced to fix the vulnerabilities in May 2019, July 2019, July 2020. Fortinet corresponded with impacted firms and shared a number of blog posts telling clients to upgrade the FortiOS to a secure version; then again, many users have not implemented the patches to fix the vulnerabilities and are prone to attack.

CVE-2018-13379 is a vulnerability resulting from the inappropriate limit of a pathname to a restricted directory and occurs in Fortinet FortiOS 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4. Under SSL VPN website, an unauthenticated attacker could get system files by transmitting specially made HTTP tickets to a vulnerable server. Before, Chinese Russian, and Iranian APT groups have taken advantage of the vulnerability so as to breach U.S. election support solutions.

CVE-2020-12812 is an inappropriate authentication vulnerability identified in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which can be exploited to let users get access with success without requiring an additional authentication factor – FortiToken – whenever they modified the case of their username.

CVE-2019-5591 is a default settings vulnerability found in FortiOS which may permit an unauthenticated hacker on the same subnet to snatch sensitive information by posing as the LDAP server.

The FBI/CISA point out that APT groups are listing servers that have not been patched to correct CVE-2020-12812 and CVE-2019-5591 and are checking for devices susceptible to CVE-2018-13379 on ports 10443, 4443 and 8443. The vulnerabilities were taken advantage of to obtain access to several businesses, government, and technology services sites. Other CVEs and exploitation tactics including spear-phishing could also be utilized in attacks to acquire access to vital infrastructure systems.

Aside from implementing the patches to resolve vulnerabilities, the FBI/CISA advises these few other tips to avert vulnerabilities exploitation:

  • Include key artifact files employed by FortiOS to execution deny lists to stop initiatives to install and operate the insecure program and its related data.
  • Set up systems to necessitate administrator credentials prior to putting in software.
  • Apply multi-factor authentication where probable, continue to keep good password hygiene and perform reviews of accounts having admin rights.
  • Deactivate all remote access/RDP ports that are unused and review remote access/RDP records.
  • Because phishing attacks are likely to happen, flag communications from external sources and deactivate links in emails.
  • Educate the staff about data security and how to know phishing emails.
  • Set up antivirus software program on all systems and keep it updated.
  • Employ network segmentation to control the damage that can be created in the event of a network breach.
  • Considering that extortion and data deletion attacks can take place, routinely backup data and save a backup copy on an air-gapped system and password-protect the file backup.
  • Develop a recovery plan to regain sensitive information from a physically independent, segmented, protected area.

Data Breaches at Mobile Anesthesiologists Patients, Heart Of Texas Community Health Center And Haven Behavioral Healthcare

Mobile Anesthesiologists lately found out about the compromise of some patients’ protected health information (PHI) as a result of a technical misconfiguration. The issue happened before December 14, 2020, and permitted public access to PHI including names, medical insurance data, date of service, medical treatment information, and birth dates.

An inquiry of the problem ended on January 28, 2021 and it confirmed the exposure of the PHI of 65,403 persons. Although the PHI could likely have been accessed by unauthorized people, there is no proof found that suggests unauthorized data access or PHI theft. Mobile Anesthesiologists notified the affected persons by mail beginning March 10, 2021.

Email Error Brings About Unauthorized Disclosure of Heart of Texas Community Health Center Patients’ PHI

Heart of Texas Community Health Center learned about the exposure of the PHI of a number of patients.

An email with patient information was sent to people who are permitted to view the data, however, the email got mailed to an account that was beyond the coverage of the firewall and might have been intercepted since the email had no encryption.

The email simply contained an email address and mentioned the email account holder was past due to have a pap smear. The email didn’t include any name or other data. The email merely corresponded to female patients who are 21 to 65 years old and had visited a Heart of Texas Community Health Center facility from September to December 2020.

There was no report obtained that suggests the interception of the email or its access by unauthorized persons.

Haven Behavioral Healthcare Reports Breach of Systems Comprising Patient Information

Haven Behavioral Healthcare located in Nashville, TN has publicized that unauthorized people acquired access to sections of its system that secured the PHI of patients. The provider detected the data breach on or around September 27, 2020 and started an investigation right away. Third-party cybersecurity professionals helped to find out the nature and extent of the breach.

The investigation showed that the attacker viewed its systems between September 24 and September 27, 2020. It was affirmed on January 27, 2021 that the files accessed by the attacker included patient information. An analysis of the files was done on March 11, 2021 and Haven Behavioral Healthcare started mailing notification letters on March 23, 2021.

Though the files were unsecured, the investigation cannot verify whether the hacker accessed the files. It is at the moment unknown which hospitals and patients were impacted.

FBI Issues Alert of Rise in Business Email Compromise Attacks on State And Local Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification notified state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been noticed that BEC attacks on SLTT government entities went up from 2018 to 2020. Losses due to these attacks vary from $10,000 to $4 million.

BEC attacks entail getting access to an email account and mailing communications impersonating the account owner with the motive to persuade the target to go ahead with a falsified transaction. The email account is frequently utilized to send out messages to the payroll section to alter employee direct deposit data or to folks authorized to carry out wire transfers, to ask for modifications to bank account information or payment options.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) got an advisory regarding the report of 19,369 BEC attacks and losses of more or less $1.9 billion. The following are a few occurrences of BEC scams:

In July 2019, a little city government lost $3 million after getting ripped off by means of a spoofed email that seemed to be from a service provider asking for a modification of their payment account.

In December 2019, the email account of a financial manager of a government agency of a US territory was attacked and employed to send out 146 communications to government agencies with information regarding financial transactions. A number of these requests were asked through email, and the scammer had intercepted and answered those emails. Altogether, $4 million was transmitted to the account of the attacker.

Aside from the financial losses, the attacks damage operational capacities of SLTT government organizations, cause reputational ruin, and can likewise bring about the loss of sensitive data for instance PII, banking data, and employment records.

BEC scammers can readily research targets and can learn SLTT operating details and information regarding vendors, suppliers, and providers from open resources. Getting access to the email accounts is simple as the email address of the target could be easily found, and phishing kits are accessible at low cost on the darknet for mining credentials.

When an email account is accessed, the scammer mimics the writing style of the account holder and usually hijacks message posts. The scam may include a number of messages where the target thinks they are conversing with the true account owner when they are speaking with the attacker.

The FBI explains that BEC scammers usually aim for SLTT government entities with poor cybersecurity standards and exploit SLTT government entities that do not offer enough training to the employees. The shift to remote employment as a result of the pandemic has furthermore made it a lot easier for the fraudsters.

In 2020, CISA held phishing simulations with SLTT government entities. Of the 152 campaigns comprising about 40,000 messages, there were approximately 5,500 unique clicks of fraudulent malicious hyperlinks. With a click rate of 13.6%, it implies security awareness training does not teach employees concerning the threat of email-based attacks and shows the importance of “defense in depth mitigations.”

The FBI advises making certain that all workers get training about security awareness, fully understand BEC attacks, and how to recognize phishing emails and fake emails. Workers need to be taught to cautiously verify email messages for advance payments, alterations to bank account data, or requests for sensitive details. Guidelines and procedures must be enforced that necessitate any bank account modification or transaction request to be confirmed by phone call utilizing a verified number, not data given in email messages.

Extra measures that ought to be considered comprise multi-factor authentication implementation on email accounts, phishing simulations, stopping auto email forwarding, tracking email Exchange servers for configuration modifications, putting banners to emails coming from outside sources, and employing email filtering solutions.

Find out about additional steps that could be enforced to stop and recognize BEC attacks in the FBI Alert.

US Healthcare Ransomware Attacks Cost in 2020 Estimated at $21 Billion

Ransomware attacks on the healthcare sector exploded in 2020. No less than 91 U.S. healthcare companies experienced ransomware attacks, 50 more than the past year. 2020 additionally had a big ransomware attack on Blackbaud, which impacted around 100 U.S. healthcare companies.

The very first ransomware attack reported happened in 1989 however earlier types of ransomware weren’t specifically complex and attacks were quick to mitigate. The scenario evolved in 2016 when a different type of ransomware was employed in attacks.

These different ransomware variants make use of strong encryption and remove or encrypt backup files to make sure data recovery is not possible without a ransom payment. In the last 5 years, ransomware was a continuous threat to the healthcare sector. Healthcare companies are more and more targeted recently. Attacks today involve stealing of sensitive data before file encryption, therefore even though files are recoverable from backups, paying the ransom is still necessary to avoid the exposure or selling of stolen information.

Healthcare ransomware attacks impair IT systems, make patient health records inaccessible, interrupt patient care, and endanger patient safety. Retrieving information and restoring systems could last weeks or months and handling the attacks is costly, with substantial loss of income because of outages. In 2020, the University of Vermont Health Network ransomware attack cost $1.5 million per day in recovery expenses and lost income.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech lately performed a study to determine the true price of ransomware attacks on US healthcare companies. The researchers collected data on all ransomware attacks documented by the U.S. Department of Health and Human Services’ Office for Civil Rights since 2016, along with attacks documented via media outlets although were not publicized by OCR as they impacted less than 500 people.

Computing the actual price of healthcare ransomware attacks is hard because only minimal information is publicized. Ransoms could be paid, although the sums are frequently not shared and attacks that impact under 500 people are usually not publicized.

The researchers reported that there were 92 healthcare ransomware attacks in 2020, which include the Blackbaud attack. Over 600 distinct hospitals, clinics, and other healthcare centers were impacted by those ransomware attacks, with another 100 impacted by the Blackbaud attack. Those attacks occurred with the stealing or exposure of the protected health information (PHI) of about 18,069,012 patients.

Ransom demands vary from $300,000 to $1.14 million. The average ransom demand is $169,446 in 2020, according to Coveware. Attackers demanded $15.6 million in ransoms from U.S. healthcare organizations in 2020, and $2,112,744 was confirmed to have been paid to ransomware gangs. The true amount is considerably bigger as ransom payments were usually not publicly shared.

Besides the ransom payment, downtime lasting weeks or months is another cost of ransomware attacks. Coveware research shows that the average downtime was 15 days (Q1 of 2020) to 21 days (Q4 of 2020. According to the Comparitech researchers, the total downtime from the 2020 attacks was 1,669 days. If using the 2017 estimation of downtime cost of $8,662 a minute, the attacks in 2020 cost approximately $20.8 billion, which is two times more than the approximated ransomware attacks cost in 2019 ($8.46 billion).

The researchers determined 270 healthcare ransomware attacks in the U.S.A. from January 2016 to December 2020, which impacted about 2,100 clinics, hospitals, and other healthcare centers. The attacks saw the stealing or encryption of data of over 25 million people, having a total estimated cost of $31 billion to the healthcare industry.

Read the complete details of the Comparitech healthcare ransomware study here.

PHI Exposed Due to Breaches at Elara Caring, Cornerstone Care and ProPath

Elara Caring, one of the United States’ biggest home-based medical care services providers, has encountered a phishing attack that affected about 100,000 patients.

In the middle of December, the provider discovered suspicious activity in a few email accounts of workers. It took immediate action to protect the accounts and stop the attackers from being able to access the email accounts. A third-party cyber security company aided in scrutinizing the incident.

The investigation established that an unauthorized individual accessed a number of employee email accounts, even though no information was uncovered that indicates the attackers accessed or acquired any patient data in the email accounts. It was impossible to exclude theft of information.

An analysis of the breached email accounts showed they comprised the sensitive data of 100,487 patients, which include names, dates of birth, Employer ID numbers, Social Security numbers, driver’s license numbers financial/bank account details, passport numbers, home address, email addresses, and security passwords, insurance data and insurance account numbers. Elara Caring offered the people impacted by the incident complimentary credit monitoring and identity protection services.

The provider also took action to strengthen data security and has provided supplemental training about cybersecurity to its staff members.

Email Account Breach at Cornerstone Care Affects 11,487 Individuals

An unauthorized person accessed an email account holding the PHI of 11,487 patients getting services from Cornerstone Care community health centers based in Northern West Virginia And Southwestern Pennsylvania.

The company discovered the email account incident on June 1, 2020 and employed third-party security professionals to help investigate the breach. It was established that the breach simply affected one company email account. An evaluation of the PHI contained in the account was done on January 13, 2021.

The account had the names and addresses of patients plus, for a number of people, birth date, Social Security number, medical record, illness, treatment method, diagnosis, and/or medical insurance data. People whose Social Security number was affected got free credit monitoring and identity theft protection services.

Cornerstone Care mailed notifications to the impacted persons on February 25, 2021. It additionally employed multi-factor authentication on the email accounts.

ProPath Email Accounts Viewed by an Unauthorized Person

ProPath, the United States’ major, nationwide, fully physician-owned pathology practice, has found out an unauthorized person who got access to two email accounts that contain patient data.

The unauthorized individual gained access to the email accounts from May 4, 2020 to September 14, 2020. ProPath discovered on January 28, 2021 that PHI in the email accounts were the names of patients, birth dates, test orders, medical diagnosis and/or clinical treatment data, medical procedure details, and doctor name. The Social Security number, financial account details, driver’s license number, health insurance details, and/or passport number of some people were likewise compromised.

People whose Social Security number was exposed were provided credit monitoring services at no cost. Staff members have gotten more training to support them discover malicious messages and more technical safety measures have already been put in place.

It’s not yet confirmed how many persons the incident affected. ProPath mentioned lots of men and women who obtained testing from the provider were not impacted by the breach.

Roundup of Recent Healthcare Data Breaches

Email Accounts Breach at Summit Behavioral Healthcare

Summit Behavioral Healthcare based in Brentwood, TN found out about the breach of two staff email accounts starting in May 2020. This provider of behavioral health services manages 18 addition treatment centers throughout America.

An independent forensics company was involved to look into the breach and affirmed on January 21, 2021 that the breached accounts held protected health information and unauthorized men and women may have accessed or gotten PHI.

The data included in the accounts differed from person to person and might have involved names along with at least one of the following types of information: diagnosis or symptom data, treatment details, prescribed medication data, medical insurance numbers, medical background, Social Security number, financial account details, Medicare/Medicaid identification numbers, and healthcare provider data.

Summit Behavioral Healthcare already notified the affected people and provided a complimentary one-year credit monitoring and identity theft protection services membership.

Email Account Compromised at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center located in Elgin, ND has learned that an unauthorized individual viewed an email account that contains the PHI of 1,547 patients.

The hospital discovered the breach approximately on August 5, 2020 and an independent cybersecurity agency was retained to look into the breach and ascertain whether any records were accessed. It looks like the attack was done as a way to distribute spam email messages using the account; nonetheless, it’s probable that patient files were accessed.

The account comprised names, birth dates, addresses, email addresses, telephone numbers, Social Security numbers, credit card numbers, insurance policy numbers, bank account numbers, and various health details.

The latest organization-wide security system has already been enforced, guidelines and procedures were kept up to date, and extra training was offered to personnel and vendors on data security. Jacobson Memorial Hospital and Care Center provided the impacted persons free credit monitoring and identity theft restoration services.

Twelve Oaks Recovery Finds Malware Infection and Data Theft

Twelve Oaks Recover based in Navarre, FL, an addiction and mental health treatment facility, has found out that an unauthorized person accessed its system, infected it with malware, and stole records. The attack was discovered on December 13, 2020 after finding strange network activity. Conducting a forensic investigation affirmed the deployment of malware on December 13. A data exfiltration was confirmed to have happened the following day.

An evaluation of the records acquired by the attacker showed that they included the PHI of 9,023 patients, and contained names, birth dates, addresses, Social Security numbers and medical record numbers.

Twelve Oaks Recovery has improved its network tracking tools and undertaken steps to avoid the same breaches from happening again.

Kaiser Permanente Terminates Worker for Improper PHI Access

Kaiser Permanente has terminated a worker for accessing the medical records of members with no authorization. The provider detected the privacy breach on December 28, 2020 and upon investigation, it was confirmed that information was accessed with no reasons associated with the healthcare service needs of members. The types of data compromised included names, addresses, email addresses, phone numbers, birth dates, and pictures. No other sensitive data was compromised

Kaiser Permanente is going over its guidelines and procedures and will be enforcing more safety measures, as needed, to avoid the same privacy breaches later on.

Online Storage Vendor Pays Ransom Demand to Retrieve Healthcare Data Stolen On Cyberattack

The protected health information (PHI) of 29,982 patients of Harvard Eye Associates located in Laguna Hills, CA was potentially stolen during a cyberattack on its online storage vendor. The medical and surgical eye care services provider received information on January 15, 2021 that hackers gained access to the computer system of its storage vendor and exfiltrated data.

It isn’t certain whether there was file encryption to prevent access; nevertheless, there was a ransom demand received in exchange for the return of the stolen files. The storage vendor conferred with cybersecurity specialists and the Federal Bureau of Investigation and decided to pay the ransom demand.

The hackers resent the stolen information and gave assurances that they did not retain any copies of the data and there were no other disclosures of the stolen files. The cybersecurity professionals called in by the security vendor are tracking the Internet and darknet and didn’t find any proof that suggests the sale or leak of the stolen data online. An investigation into the breach revealed that the hackers first obtained access to its computer networks on October 24, 2020.

The hackers likely acquired the following types of patient information: patients’ names, phone numbers, addresses, email addresses, dates of birth, medical histories, health insurance data, prescription drugs, and data regarding treatment acquired at Harvard Eye Associates.

Harvard Eye Associates offers billing and other admin services to Alicia Surgery Center based in Laguna Hills, which needs access to the types of information already mentioned. The security incident likewise affected Alicia Surgery Center patients. It is presently uncertain how many Alicia Surgery Center patients were impacted.

Harvard Eye Associates and Alicia Surgery Center posted in their website breach notices that affected patients will get notifications and offers of complimentary credit monitoring and identity theft protection services.

21st Century Oncology’s Proposed Data Breach Settlement Gains Initial Approval

The court has granted preliminary approval of a settlement offered by 21st Century Oncology to solve a November 2020 class-action legal action. The class-action lawsuit was registered in District Court for the Middle District of Florida in support of affected individuals of a 2015 cyberattack that essentially impacted 2.2 million persons.

The Federal Bureau of Investigation notified 21st Century Oncology regarding a breach of its computer network on November 13, 2015. An unauthorized individual had obtained access to its system and could have viewed or acquired access to one of its databases on October 3, 2015. The database included patients’ names, diagnoses, treatment details, insurance data, and Social Security numbers. Notifications to affected people were overdue at the request of the FBI so as not to obstruct the investigation. Patients impacted by the breach began receiving notification letters in March 2016.

The Department of Health and Human Services’ Office for Civil Rights started a breach investigation and uncovered probable HIPAA violations. 21st Century Oncology resolved the case in December 2017 without any admission of liability and consented to pay a $2.3 million fine.

The class-action lawsuit desired breach victims to be paid for sustaining losses because of the incident, which include a refund of out-of-pocket expenditures, time spent seeking to fix things, and losses suffered due to identity theft and fraud.

With the provisions of the offered settlement, all breach victims will be eligible to claim credit monitoring and identity theft protection services via Total Identity for 2 years, which could be deferred for around two years.

Additionally, the 21st Century Oncology negotiation will see breach victims refunded for standard time expended correcting troubles somewhat traceable to the data breach, which is dependent on two hours at $20 each hour to as much as $40. Additionally, a claim may be made for reported time spent, to as much as 13 hours at $20 every hour to around $260.

Any person who will be able to give evidence of out-of-pocket costs sustained because of the breach or reported fraud may be allowed to file a claim as much as $10,000.

All persons advised concerning the breach in or about March 2016 are protected by the settlement and could file a claim. The due date for making claims is May 10, 2021. Any class member who wants to disapprove or exclude themselves from the arbitration has till March 9, 2021 to achieve this.

Though the court has issued initial acceptance of the settlement deal, finalized approval is not yet given. A fairness hearing is timetabled for June 15, 2021.

Email Account Breach at Charles J. Hilton & Associates P.C. and Nevada Health Centers

University of Pittsburgh Medical Center (UPMC) has made an announcement that the protected health information (PHI) of around 36,000 patients was possibly accessed by unauthorized people after a cyberattack on a firm that offers UPMC legal services related to billing.

In June 2020, Charles J. Hilton & Associates P.C. (CJH) detected suspicious activity in the email account of its staff and began an inquiry. On July 21, 2020, CJH established that hackers obtained access to the email accounts of some of its staff between April 1, 2020 and June 25, 2020.

Computer forensics experts carried out a comprehensive investigation into the breach to find out which information the hackers accessed or acquired. UPMC stated it received a notice concerning the breach last December 2020 validating that attackers obtained the patient data. CJH is presently delivering notification letters to all patients likely impacted by the incident. UPMC mentioned that no system was affected not even its electronic medical record system. The sole information affected was patient data furnished to CJH to deliver its agreed-upon billing-associated legal services.

CJH explained the breached accounts comprised names, birth dates, financial or bank account numbers, State Identification Card Numbers Social Security Numbers, driver’s license numbers, electronic signatures, Medicare or Medicaid identification numbers, healthcare record numbers, patient control numbers, patient account numbers, trip numbers, visit numbers individual health insurance or subscriber numbers, group medical insurance or subscriber numbers, medical benefits and entitlement details, disability access and accommodation, and data connected to occupational-health, drug tests, symptoms, diagnosis treatment, medicines, invoicing or claims, and/or disability.

CJH is giving free credit monitoring and identity theft protection services membership to persons impacted by the breach.

Nevada Health Centers Notifies Patients Concerning Email Account Breach

Nevada Health Centers reported that the PHI of some of its patients was possibly compromised. From November 20 to December 7, 2020, an unauthorized person remotely signed into an employee’s email account containing patient data.

The individual who signed into the account seemed to be from abroad, as one of the login attempts used an IP address from South Africa. The attack seems to be meant to get Nevada Health Centers’ financial data instead of patient health information, though it is likely that patient data was seen or acquired during the attack. Nevada Health Centers stated that there’s no proof found that PHI was accessed or stolen.

The breached email account was found to include patient names along with at least one of these types of data: Address, telephone number, birth date, gender, race, ethnicity, insurance details, appointment data, medical record number, provider name, and service location(s). The number of patients affected by the breach is presently uncertain.

Multinational Law Enforcement Campaign Takes Down the Emotet Botnet

Europol reported that the infamous Emotet Botnet was taken down in connection with a multinational law enforcement operation. Law enforcement institutions in the United States, Canada, and Europe took charge of the Emotet infrastructure, which is composed of hundreds of servers worldwide.

The Emotet botnet was a much talked about malware botnets in the last ten years and the Emotet Trojan was perhaps the most threatening malware variant to appear in recent years. The operators running the Emotet was a very experienced cybercrime provider and played a major role in the cybercrime world. The Emotet botnet is used in approximately 30% of all malware attacks.

The Emotet Trojan was initially discovered in 2014 and was, in the beginning, a banking Trojan, however, the malware turned into a far more damaging threat and utilized for a lot of cybercriminal operations. The Emotet Trojan worked as a backdoor into computer networks and access was offered for sale to other cybercriminal groups for carrying out data theft, malware syndication, and extortion. Emotet was employed to transmit Qakbot And Trickbot, which subsequently were utilized to send ransomware variants including Conti Ryuk, Prolock And Egregor.

When a device was affected by the Emotet Trojan it is going to be added to the botnet and utilized to contaminate other systems. Emotet can pass on laterally throughout systems and hijacked email accounts to transmit duplicates of itself to contacts. The Emotet group brought phishing to the subsequent level and their efforts were remarkably successful. A big selection of baits was employed to raise the likelihood of opening the email messages and installing the malware. Emotet likewise hijacked message posts and placed itself into email chats to raise the likelihood of opening up malicious attachments.

The law enforcement campaign was planned for approximately 2 years and was a joint effort between regulators in Germany, France, the Netherlands, Canada Lithuania, the United Kingdom, Ukraine and the United States, with the campaign organized by Europol and Eurojust.

The facilities utilized to manage the botnet was distributed over hundreds of servers, all of which carried out diverse functions and were employed to take care of infected computer systems, circulate copies of the Emotet Trojan, exfiltrate information, and give services to other cybercrime organizations. The Emotet gang had furthermore built resiliency into its structure to averting any takedown efforts.

To eliminate the infrastructure and avert any initiatives at restoration, the operation was organized and law enforcement bureaus took command of servers concurrently from within. The servers are currently under the command of law enforcement and a module that removes the malware is by now being circulated. Europol affirms the malware is going to be deleted from infected systems on March 25, 2021.

Aside from drastically stopping the operation, many members of the Emotet group in Ukraine assumed to be operating the botnet were detained and other apprehensions will soon follow.