Emotet – Never Let Your Guard Down

The Emotet attack step-by-step

In general terms, this is how an attack works: first the recipient receives a sophisticated fake e-mail in the name of a known customer or telecom provider, for example. The e-mail either directly contains a word file attachment in *.doc format or links to a malicious file. In the e-mail, the user is informed that it is absolutely necessary to allow active content in the *.doc file (enable macros). The code is so small that analysis is a challenge for security systems.

As soon as the macro code is launched and the PC is infected in this way, Emotet opens the doors and allows access to dangerous threats like malware heavyweights such as Trickbot or Ryuk. Trickbot is a notorious banking Trojan or crypto miner. So it steals log-on details and passwords or launches crypto miner workloads on PCs or servers, and mines for cryptocurrencies. With Ryuk, a known ransomware is introduced into the system, which encrypts the data and starts a classic round of blackmail: those who pay quickly will purportedly receive the respective decryption tool. Emotet continues to hijack the e-mail program, along with the address book, proliferating further. Unfortunately, this is very effective, as the sender is known to the receivers of the new infected e-mail and considered trustworthy.

Thus, the attacks or their consequences are not always the same. What's more, the exact types of Emotet, Trickbot or Ryuk, for instance, often vary. Through analysis with the help of the servers controlling the botnet, Emotet can also find out whether it has landed on a private PC or on a workstation in a corporate network. This also influences how the attacker will further proceed. Once Emotet is in a network, it attempts to directly spread out among additional corporate PCs.

The future of Emotet

Naturally, no one can accurately predict just what the future of Emotet and all its variants will look like. But if we look at comparable cases, a trendline becomes apparent. It would seem to develop the same way as Carbanak malware, with which banks were attacked per phishing and more than one billion dollars were stolen. While the malware was identified and the network was taken down, the highly-efficient code of the malware served as a blueprint for new malware for many years. Experts assume that the technology and parts of the Emotet code will continue to be used for a long time.

Which means that the problem of extremely difficult detection of Emotet will still be with us. As long as that is the case, there will be further botnets directly relying on Emotet and its variants and launching attacks. Add to this the fact that many companies currently still vastly underestimate the existing danger. Put in basic terms, some of them simply got off lucky.

The attacks, however, are still continuing. This can also be easily gleaned on AV-Atlas.org, the Threat Intelligence Platform, a real-time platform for cyber threats. Because Emotet mainly proliferates via phishing e-mails, the experts from AV-TEST paid special attention to the category of spam e-mail after the takedown of the botnet at the end of January 2021. While the traffic of phishing e-mails containing Emotet samples dipped slightly, it already resumed its previous level after two or three weeks. This supports the theory that the attacks were taken over by other botnets.

More protection against all forms of Emotet

Consumers, along with corporate users, have an entire bundle of options to protect against malware like Emotet or other ransomware, for example. The first step is to use a good and up-to-date protection solution on a PC or on clients and servers. In this area, the AV-TEST examines in its certification test which solutions can be recommended, making test results freely available:

• Tests of Windows protection software for consumer users
• Tests of Windows protection software for corporate users

This initial filtering greatly lowers the risk, as not only files from the Internet, but also e-mail attachments, are examined and end up in the quarantine, where necessary.

Blocking macros

As the Emotet code is executed via macros in documents, consumers and corporate users should strictly refrain from enabling macros in applications. This is a default feature in Office, for instance, but it is often defeated by users themselves. Often, it is not possible for corporate users to forbid the use of macros, as otherwise workflows would be disturbed. Modern network management can offer a remedy in this regard by providing rules that enable macros certified by the IT department per code signature. Even Microsoft explains and recommends the use of signed macros. 

Data backup in the cloud

In the event that ransomware like Ryuk strikes with the help of Emotet, then the subsequent encryption generally cannot be cracked without the matching code. Normally this doesn't involve the Windows systems themselves, but rather the data partitions with constantly changing work data. Even continuously connected backup drives are of little help, as these are encrypted as well. Cloud services can provide a remedy here.

A cloud solution is normally already included in large enterprise solutions. Small and medium-sized companies, for example, can rely on solutions such as OneDrive for Business. In this case, cloud-based stored data which has been completely encrypted can be restored to any time within the previous 30 days. Solutions such as these are also offered by other business clouds, e.g. Dropbox. Consumer users can also take advantage of such clouds, because there as well, the changes per file are always stored – often up to 10 versions. Restoring data is somewhat more complex, however. But in case a PC is infected, it is straightforward and only takes a bit more time and effort.

Additional protection software

For an endpoint security package, major corporate users normally rely not only on one solution but also use additional security modules, also from other manufacturers. This is a good strategy, and it could also be used in the SME sector or by consumers.

Small and medium-sized enterprises, for instance, can use the free Kaspersky anti-ransomware tool for business for their clients alongside their security solution. It monitors the processes on a PC and based on a database, detects actively operating ransomware, and processes its uses. If an encryption process has been launched, the tool blocks it, in the event that the security solution has not triggered already. The tool is helpful on home PCs as well. Consumer users, however, also have the option of using combined backup software, also featuring an anti-ransomware tool, such as Acronis Backup. In that application, there is an additional process monitor to check whether ransomware is involved. If this is the case, the process is terminated and the modified data is restored from the backup.