In IT security circles, Emotet is one of the most notorious and prominent examples of malware seen in recent years. If you don’t know about Emotet and focus on the risks it poses, learning what it is and how to protect yourself against it could be one of the best things you ever do.
What is Emotet?
Emotet is a specific type of malware created by cybercriminals. The first detection of this malware was in 2014 during a cyberattack on banks in Germany and Austria. Emotet would come to global attention towards the end of the 2010s thanks to several successful, high-profile attacks.
Emotet is unusual as a type of malware as it is constantly evolving and remains active. Usually, when malware is identified and technology developed to block it, cybercriminals will create a new type of malware that will end up with a different name.
Cybercriminals usually deploy Emotet malware via spam emails. One typical means of targeting users is by sending a document with a standard title, such as “invoice.doc,” which many people view as a legitimate attachment when they receive it. Once the recipient opens the attachment, Emotet downloads onto their system via macros within the document and gets to work.
It is also common for Emotet emails to include malicious links with commonly clicked terms like “Payment Details” contained within the content.
Many Emotet attacks make it look like the email you’re receiving is from a familiar brand, which has helped contribute to the number of successful attacks through the years.
Other factors that make this type of malware so dangerous are that it can sit on systems and work undetected and deliver different malware types to your system. If you identify Emotet and remove it from your system, you may still need to conduct further work to remove additional malware.
How has Emotet evolved in recent years?
To this day, Emotet malware continues to evolve and has far more capabilities than back in 2014.
- The first version of Emotet was created to intercept internet traffic in order to steal banking details.
- The second version in 2014 included modules to automatically target German and Austrian banks. It also hosted a money transfer system that swiftly conducted fraud t before security systems would notice.
- A 2015 update included additional stealth capabilities that hid Emotet from most anti-virus programs. It also started targeting banks in Switzerland..
These early versions of Emotet were Trojan horses, which primarily aim to steal banking credentials and conduct illicit money transfers.
2018 and forward
By 2018, Emotet evolved from a traditional Trojan horse malware ino what is known as a “dropper.” This means Emotet, as well as infecting systems itself, delivers and downloads other Trojan horses and ransomware onto computer systems. Therefore, one Emotet attack could lead to both data being stolen without knowledge and an individual, business, or another organization being a victim of ransomware. It is thought this occurs via the creators of Emotet “leasing” their software to other criminals. Criminals pay for the malware to help them gain access to data and keep 100% of the profits from their ransomware or other malware.
By 2019, it was being used as botnets to target larger numbers of people and organizations, particularly banks from across Europe and the United States.
As of 2020, Emotet continues to be active, with campaigns being detected throughout the year. In late 2020, the malware was found to be being distributed from around 50,000 parked domains. These parked domains are newly registered and immediately parked domains or existing good standing domains that the previous owner didn’t renew.
Five famous malware attacks using Emotet
Emotet has been the cause of several high-value cyberattacks in recent years. Five of the most significant are:
- A February 2018 attack on local government in Allentown, Pennsylvania, in which local government computer systems were infiltrated. Although nothing was spent on ransomware payouts, the total costs of fixing and mitigating damage caused by the attack totaled more than $1 million.
- A July 2019 attack on the town Lake City, Florida, caused losses of $460,000 because of ransomware payouts.
- A May 2019 attack on Heise Group, a publishing house based in Germany. This attack was caused by an employee opening what looked like a legitimate email attachment. However, it is not known what financial damages, if any, were incurred.
- An August 2020 attack on the Justice Department of Quebec, in Canada. While the Justice Department stated no data was stolen or financial loss incurred, the department received fierce criticism for its slow response to the problem. As of December 2020, the department remains accused of not fully appreciating the severity of the attack.
- Throughout September 2020, government agencies across Europe reported increased Emotet activity and fraud attempts. However, it is unknown to what extent these were successful.
How does Emotet malware spread, and why is it so difficult to detect?
Emotet typically spreads through email systems by hijacking accounts and sending out malicious emails.
Once the malware is in your system, it scans your Inbox and email contact list. It can then reply to genuine email messages with malicious attachments or links. This is another factor that makes Emotet more dangerous than traditional phishing scam emails, which are often easy to spot as they’re sent at random from an unfamiliar source.
As the people in your contact list receive what looks like a genuine reply – to an email they really did send – they’re more likely to open it and click the attachment or link. If they do this, the malware can infect their system, steal data, install other malware, and repeat the process with that person’s email account.
Emotet is challenging to detect because of how it is written, which helps it get around most anti-virus products. A traditional virus uses the same code “signature” each time it tries to establish itself on your system. Therefore, as long as your anti-virus software knows what signature to look for, it can block these viruses.
In contrast, Emotet is what is known as a type of polymorphic virus. This means the malware’s “signature” changes on each machine it installs itself on, and the anti-virus software cannot detect it. Emotet also detects when it is running in a virtual machine and can automate itself to sit dormant until it can act effectively.
How can you protect yourself from Emotet?
The most effective means of protection against this malware is finding a SIEM solution that can help identify and help quarantine Emotet emails and those containing associated malware such as Ryuk ransomware. A SIEM solution such as LogPoint, can help detect Emotet and bring an added layer of security to your business emails.
In addition to choosing software that will help you block Emotet attacks and continually monitor your internal networks, you should also:
- Disable macros from being used in Microsoft Office files.
- Immediately install any security updates when they’re available across the software you use.
- Make regular backups of all data, and store these securely in a different location to the master files.
- Create a culture of diligence within your company. If people are wary of what attachments they open – or you use cloud software to render attachments meaningless – you will minimize your risk of falling victim to Emotet almost to zero. Ensure your team doesn’t take your use of security software as a false sense of security!
What action can you take if your systems are hit with Emotet?
If you believe you have been hit by an Emotet infection, do the following:
- Remove potentially infected systems from your network.
- Check the system and remove the malware if you’re able to confirm it is present. It might be needed to wipe and reinstall the system.
- Check for other ransomware and other malware that may have been dropped by Emotet. If these are present, you should remove these also.
- Check and clean up every other system in your network, one at a time. Remember that Emotet can sit dormant on your systems. You must invest the time ensuring you don’t have a problem immediately after you feel like you’ve dealt with it.
- Once you have confirmed the malware isn’t present on your network, reintegrate the system on which you identified the initial infection.