Emotet: How an Emotet infection occurs in companies

11/05/2019
G DATA Blog

The Emotet malware is still considered one of the most dangerous threats to corporate IT worldwide. Analysts at G DATA Advanced Analytics have tracked down how an Emotet infection starts gradually infiltrating corporate networks and then takes them out of operation bit by bit.

Even though Emotet has reached an almost biblical age for malware, the Trojan still frightens companies and authorities in particular. The German Federal Office for Information Security (BSI) is also still issuing an impressive warning about the malware and expects losses in the millions. The malware was first discovered as a banking Trojan in 2014. Since then, it has developed into a general-purpose weapon for cybercrime. The hacker collective responsible for it has continued to develop Emotet, which means that the current version is very mature. In addition, the criminals use packers to mask the malware faster and faster and put new versions into circulation. Security experts at G DATA have already counted more than 33,000 versions of Emotet in the first half of 2019 - a significant increase over the previous year.

Step 1: Silent entry

“Emotet actually only functions as a door opener, which then installs additional malware on the computer,” explains Anton Wendel, Security Engineer at G DATA Advanced Analytics. “However, the initial spam emails look very authentic, so many users regard them as genuine and open the infected attachment.”

It happens by clicking on an email attachment. The trigger that sets off the actual infection is usually the enabling of macros in Office documents. What then follows usually happens silently in the background - and completely unnoticed. Being an information stealer, Emotet reads all passwords, emails and email addresses. It dives deep into the contact history and, for example, uses content from emails to then send out spam emails to infect other devices. The fake emails thus refer to real business transactions, which encourages the spreading of the malware. In addition to this spam module, Emotet also has a worm module which it can use to autonomously distribute itself over the network. For example, it can implant itself on other computers in a company network without other users having to click on any attachments and activate it. To do so, Emotet carries out a brute force attack using known standard passwords such as “12345”, “password” and the like. The attack is particularly effective if the malware infects an admin profile with extensive access rights within the company network.

Step 2: Gathering information

Emotet is also dangerous because it loads malware as well when a computer is infected. This differs from region to region. In Germany, TrickBot, a much more aggressive banking Trojan, currently follows the initial Emotet infection. Its speciality is that the cyber gangsters can read off payment information so that they are very well informed about the company's solvency. The information gleaned during this phase is then used in the subsequent ransomware attack. Recently, the ransom demand for Emotet attacks has been based on turnover – an indicator that the perpetrators are very well aware of their victim’s financial situation so they can adjust their demands to what their target can “afford” to pay. According to information from the BSI, typical demands go far beyond the usual demands of several hundred to one thousand euros - 30,000 to 100,000 euros are no longer uncommon.

Step 3: Encryption and extortion

With knowledge of the solvency of the business and extensive control over the IT infrastructure, it is time for the final step of the attack. The attackers use Trickbot to gain access to the company network and then manually deploy the ransomware - mainly encryption software called Ryuk at the moment. What then happens is any company’s worst nightmare - Ryuk targets and encrypts business-critical data. If Ryuk manages to access any existing backups, then those are are simply deleted.

“While Emotet’s and Trickbot’s potential for harm sometimes remains undetected for months, Ryuk reveals itself quite quickly,” says Wendel. “When the ransom note pops up, it's too late.”

Rescuing data without paying a ransom

Companies are now under great pressure and facing the key question: should they pay a ransom or not? Very few companies are capable of working without functioning IT. So every minute of downtime costs the company real money. The very existence of a company is quickly put under threat if it is not able to function for several days. But paying a ransom is no guarantee of getting your data back. Anyone who has backed up data to external storage devices outside the network is a small step ahead of the criminals. They can use this data and work with it. The attempt at blackmail is futile.

“Attempts at cleaning up the infection are often unsuccessful. There is a very real risk  of parts of the malware remaining on the system unnoticed,” warns Wendel. “Working with data recovery experts is highly recommended.”

Specialists such as the analysts at G DATA Advanced Analytics can do much more than recover data. Once a system has been infected, it should basically be regarded as completely compromised. It will have to be completely rebuilt to rule out a new infection. At the same time, the experts also check which vulnerability the malware was able to use in order to to penetrate the system and provide guidance to close it. They also have the necessary expertise to identify ransomware and restore systems - without paying any ransom.

These days, the hacker collective around Emotet is relatively quiet. The number of new Trojan versions discovered every day has decreased significantly since the beginning of June. “Even though the Emotet botnets we know of are currently quiet, the danger has not yet been averted,” warns Anton Wendel. “Right now the collective is probably performing maintenance work on the network or improving the malware core. So it could well be the proverbial calm before the storm.”

6 IT security tips for companies

  1. Set up regular backups:                                                                                  
    Back up all client data regularly to network drives, external hard drives, or the Cloud. Warning: Make sure that the connection to the storage medium or network drive is disconnected after each backup - otherwise all backups may be encrypted or deleted!
  2. Install updates and patches:                                                                         
    Always keep software such as the operating system, browser and plug-ins up to date. Exploiting security holes in programs is one of the most popular methods used by cyber criminals. Central patch management helps you to keep the software on all your clients up to date and to offer malware as little attack surface as possible.
  3. Use an up-to-date security solution:                                                           
    Virus scanners and behavioural monitoring detect known ransomware before it does any damage. Malware can often be identified by universal code sequences that are typical for compression, encryption, download routines, backdoor activities, camouflage mechanisms and the like. Heuristic and generic signatures detect such universal command sequences even in previously unknown malware families.
  4. Disable macros:
    Special care should be taken with Office documents that contain macros. It is best to prevent the automatic execution of macros in the Office suites of all clients. Alternatively, you can set exceptions for signed macros. Use seminars to raise awareness among your staff and train them in the identification of potentially dangerous files and processes.
  5. Password Manager:                                                                                          
    Use a different password for each service. It should be long enough, consist of more than one word and be complex. Password managers help you keep track of things. The advantage is that all you have to do is remember this one secure master password.
  6. Check your IT service provider:                                                                    
    Even IT service providers use bad passwords! A critical look at the working methods of the IT service providers you commission can prevent unpleasant surprises. Ask for security-related certificates or have them show you their guidelines for IT security.

Stefan Karpenstein
Public Relations Manager