Emotet Effectively Exhausted – Uninstall Command Executed on April 25

The uninstall code planted by the German Bundeskriminalamt (BKA) federal police agency instructing Emotet to uninstall from roughly one million remaining infected systems executed on Sunday. This action cleans up the Windows registry key that enabled the Emotet modules to run automatically and stops and deletes associated services, but does not remove other files, nor does it erase additional malware that might have been installed through the botnet. According to BleepingComputer, there may be some uncertainty whether the removal operation also included devices located in the U.S. The eradication of Emotet, including mention of the uninstall command, was previously posted in the Security & Resilience Update for January 28, 2021. Emotet may be exterminated, but its remnants such as Trickbot, Ryuk, and Qakbot may still remain on infected systems. And while the end of Emotet is encouraging, its legacy will likely live on in the evildoers that seek to rise and replace it, like BazarCall and IcedID.

Utilities who may not have addressed latent Emotet and associated infections before the execution can find out if they are impacted via Troy Hunt’s Have I Been Pwned (HIBP) service. According to Troy, this incident is not publicly searchable in HIPB, so individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted. All impacted HIBP subscribers have been sent notifications. Read more at BleepingComputer.