While servers were located across multiple countries, Dutch officials said that two of three of Emotet's primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on April 25, 2021, at 12:00, the local time of each computer.
Last chance to audit networks
"The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet," Binary Defense senior director Randy Pargman told ZDNet today in an online chat.
"It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected," Pargman added.
Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until April 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on April 25, such investigations will be harder to carry out.