As of Jan 27, 2021, the Emotet botnet – attacker’s all-purpose weapon has been taken down, disrupting the alarming spread of this malware. This was accomplished by the international coordinated operation headed by Eurojust and Europol. No other malware is as penetrating as Emotet, which has caused millions of dollars in damage in businesses around the world. Of course, it’s not the only malware to leverage this effect, but it is probably the best at it.
Emotet is officially gone, should I still be worried?
Though this malware is out of business, researchers warn that cybercriminals who relied on Emotet botnet have no shortage of options to threaten businesses around the world.
All About Emotet
What is Emotet?
Emotet malware started its life as a Banking Trojan, which tried to get into the victim’s computer and steal personal and sensitive information. Emotet uses a vast botnet, which is believed to be tiered, made of thousands of infected web servers, generally with vulnerable CMS like WordPress, which are discarded that allows the attackers to hold control for long periods.
When it was designed back in 2014, it was recognized by various names including Mealybug, TA542, and MUMMY SPIDER. Further, the Emotet was dubbed to version 2 that was equipped with several modules, including a malspam module, a money transfer system, and a banking module, which particularly targeted Austrian and German banks. Later, the recent version of Emotet came in addition of malware and spamming delivery services comprising other banking Trojans.
Early versions come as malicious JS files. Later versions employed macro-enabled documents to obtain the virus payload from command-and-control servers handled by the hackers.
You can track its history with the timeline:
How Does Emotet Work?
By using its compromised network of bots as an exploiting point, Emotet botnet starts its cycle by creating a legitimate-looking spam email, infecting the hosts, stealing the contact details, and repeating the process. Once downloaded, it injects itself to further propagate as well as wreak destruction on the enterprise network.
The notorious malware, which evolved throughout the years, becomes capable of introducing other exploits like Ryuk ransomware and TrickBot trojans to further spread the malware. As a result, the victims could experience anything from data or credential thefts, file encryption to the execution of malicious backdoor commands, which could destroy their network.
This malware uses a wide range of tricks and functionalities to prevent detection and analysis by anti-malware products and other cybersecurity tools. Further, its worm-like capabilities aid its easy spread to other connected devices.
What Could It Do for Your Business?
Emotet targets every business, regardless of size, nature, and type of organization. To date, it has hit companies, government organizations, and individuals across Europe and the US, stealing financial data, banking logins, and Bitcoin wallets.
This malware could be procured through ransomware-as-a-service or cybercrime-as-a-service marketplace on a pay-per-install model. Once a system is compromised with Emotet, attackers would inject secondary malware strains like ransomware. In 2019, Emotet reached its peak and was recognized as the most dangerous and prominent malware threat. After being quiet at the beginning of 2020, it reappeared again in the middle of the year.
Law enforcement agencies and security service providers around the world raised an urgent warning about this malware in July. Emotet botnet lured victims’ computers through phishing emails. IBM’s X-Force discovered one Emotet variation, which uses the Covid-19 theme as part of its phishing tempt.
Emotet infection has caused $2.5B in damages – according to Ukrainian law enforcement.
One noteworthy Emotet attack on Allentown needed direct support from the incident response team of Microsoft to wash up the malware and cost $1M to repair.
This is just a sample of Emotet infection, the undisclosed figure of compromised organizations is estimated to be higher.
The Emotet Takedown
The takedown of this malware saw law enforcement agencies capture control of 700+ Emotet servers worldwide. Infected computers are directed to infrastructure operated by law enforcement agencies, rather than attackers. As such, the compromised devices can no longer be propagated for malicious purposes and the Emotet malware itself is powerless to infect a new target. This shutdown action was the culmination of a 2-year investigation led by Europol, working with agencies from across Europe including France, Ukraine, Germany, the Netherlands, Lithuania, and the UK.
Furthermore, the authorities arrested two members of the malware gang liable for spreading Emotet worldwide.
Is Emotet Gone Forever? – What’s Next?
Taking down this most dangerous malware infrastructure was a significant achievement. The authorities signify a major disruption, which should make it hard for the Emotet variant to regain its normal functions. WatchGuard Threat Lab stated that there is an immediate drop in new campaigns because of the disruption of this malware infrastructure. Though the unique and new approach of the agency made it difficult for Emotet to come back, other malware disruption in the past didn’t often have permanent effects. Today’s 97% of malware employs polymorphic techniques, which make it capable to recover.
The TrickBot disruption is an example. The operators are highly versatile and can recover from the elimination after a short time. If Emotet were to follow a similar feature, then there is the possibility that this malware isn’t completely immobilized. In short, the Emotet botnet may return differently since sometimes, new variants of botnets return under a new gang’s control.
How to Combat Emotet Malware?
While we are celebrating our win against the Emotet botnet, experts recommend keeping alertness up against botnets. Many organizations haven’t had a proper patch management and many systems left vulnerable to exploitation. Here are some of the tactics that you can try to defend yourself from the evil intent of botnets:
- Provide training to your employees to identify phishing emails. Educate them not to click a shady-looking link or download any malicious attachments. Avoiding suspect emails can block the initial foothold of Emotet on your system.
- Back up your data regularly. Thereby, you may not lose any sensitive information in the event of an infection and you no need to pay any ransom. Sending a strong message that cybercrime doesn’t pay is key to make your digital space a safer place.
- Create a robust password and start implementing two-factor authentication.
- Protect your business from Emotet with a strong cybersecurity management program, which includes multi-layered protection.
- Most importantly, you should invest in strong endpoint defense to handle threats. The fully managed Web Application Firewall (WAF) like AppTrana helps you stay protected as it blocks the malicious attempts of security threats, which find their way to your network.
- Proper patch management is crucial to protect yourself in the race to the latest threat exploitations. By taking a comprehensive approach with virtual patching, you can better equip yourself to secure the networks between patches and upgrades.
Is Emotet Botnet really gone? Only time will tell how effective the disruption of Europol to Emotet malware is. Hopefully, this will translate into more long-lasting effects, and we can live a world of peace without Emotet haunting the scene.
Besides, every business should be warned that cyberspace still runs various malware variants like QakBot and TrickBot. Hence, it is highly recommended to have proper preventive measures to stop the death of Emotet in its tracks.
At Indusface, the research team keeps updated with the latest threats and updates our security tools with global threat intelligence and improves our security service wherever required.