New record in 2019: Emotet now has over 30.000 variants and counting


More than 200 new versions per day - the creators of the Emotet Trojan are responsible for the most productive cyber crime campaign currently running. G DATA has discovered more versions in the first half of 2019 than in the whole of 2018.

The Emotet Trojan is one of the most common and dangerous threats for companies. The all-purpose cyber crime weapon is mostly used by criminals for targeted espionage in companies. After the initial infection, further malware such as Trickbot or the Ryuk ransomware is used. In the first half of 2019 alone, security experts at G DATA recorded more than 33,000 variants of the malware - more than in the whole of 2018. Criminals are changing their malware at ever shorter intervals, with the help of so-called crypters - packers that give the malware a new look and are intended to hide it from detection by security solutions such as G DATA Total Security. Last year, G DATA observed around 28,000 versions of the malware - an average of around 70 versions a day.

More and more versions of the Emotet Trojan

In the first half of 2019, more than 33,000 versions of Emotet had already been recorded in the databases. It seems that the criminals are trying to get new versions into circulation faster and faster. G DATA uses the AI technology DeepRay to counteract the ever-faster spread of such malware. DeepRay applies years of experience in malware analysis and processes this with the help of specially developed algorithms. This means that threats such as Emotet can be detected and blocked much faster. The Emotet Trojan is not only dangerous because of the volume of new samples: “In the background, the criminals are using state-of-the-art technologies such as AI and graph databases to make their attacks look as credible as possible,” says Tim Berghoff, Security Evangelist at G DATA Software.  “Spam emails are no longer sent in the name of alleged Nigerian princes - they look like normal business transactions. These are difficult to recognise even by trained employees.” Emotet itself acts as a kind of bridgehead on infected users’ systems. Most malware is spread through Word documents with malicious macros. Social engineering methods are then used to get users to activate them. A Powershell command is then executed in the background to install the actual malware. After infection, Emotet can download numerous modules. We have described these in detail in a separate blog post.

Companies can breathe a little easier - for now

Despite the record figures in the first half of the year, new infections involving Emotet have declined in recent weeks. Since 8 June, G DATA has received far fewer new samples and the number of infections has also decreased. It is possible that the group behind Emotet is reforming itself.

Hauke Gierow
Head of Corporate Communications