When it comes to malware, Emotet stands alone. Few
threats have achieved the kind of longevity and pervasiveness seen with the
Emotet Trojan. Malwarebytes Labs called
Emotet “the most fearsome and dangerous threat to businesses today.” From 2018
to early 2019 Emotet frequently appeared on the Labs list of top 10 most
detected threats around the world. In mid 2019, as most Trojans shifted to
consumer targets and ransomware took over as the most frequent detection among
businesses, Emotet continued to loom ominously over the business security
And let’s not forget, Emotet has been around since 2014—a
lifetime in the world of malware. :
Thousands, if not millions, of lesser cyberthreats have come and gone in
that same span of time.
So, why is Emotet so dangerous to your organization and why are
we still talking about it today?
Emotet uses multiple infection vectors to spread from one
system to the next. As of late, Emotet has spread via an aggressive
campaign with malware-laden attachments. Once Emotet has infiltrated an
organization’s network, it’s designed to spread via email. Emotet’s spreader
modules give it the ability to find SMB shares, upon which it can copy itself.
Emotet can brute force accounts with commonly used credentials. Using a
infection, Emotet can also spread via the well documented EternalBlue
Emotet changes with the times. First observed by cybersecurity
researchers in 2014, Emotet started life as a banking Trojan designed to sneak into
financial networks and steal sensitive data. Targets were limited to banking
organizations in Germany, Austria, and Switzerland. Emotet reappeared in 2018
with a whole new bag of tricks and spread globally. Emotet is now a delivery
mechanism for other threats. Once Emotet lands on a target system, the Trojan reaches
out to command & control servers to download the primary payload, which
leads us to our next point.
Emotet can be used to spread ransomware. From Q2 2018
to Q2 2019, ransomware
attacks on businesses went up 365 percent. As far as Emotet is concerned, this
is great news. The threat authors behind Emotet have long since shifted away
from building a vertically integrated criminal enterprise and now sell their
services as a malware infection tool-for-hire to other cybercriminals. In this
capacity, Emotet has been observed spreading the Ryuk
ransomware strain as well as other banking Trojans, notably TrickBot.
Emotet is hard to clean up once it lands on your network.
In one attack on
the City of Allentown, PA, city officials needed help from Microsoft’s incident
response team to clean things up to the tune of $1 million. Why is this? Emotet
knows if it’s running in a virtual environment, can dodge spam filters, and
even uninstall security programs.
Summing up, as an IT professional or network administrator,
you need to be aware—Emotet is the perfect storm of capability and virulence.
If you’re the victim of an Emotet attack or want to take proactive measures
against a possible attack, Malwarebytes has put together an Emotet
Emergency Kit to get you started.
By Adam Kujawam, Director of Malwarebytes Labs