The Emotet malware is still considered one of the most dangerous threats to corporate IT worldwide. Analysts at G DATA Advanced Analytics have tracked down how an Emotet infection starts gradually infiltrating corporate networks and then takes them out of operation bit by bit.
Even though Emotet has reached an almost biblical age for malware, the Trojan still frightens companies and authorities in particular. The German Federal Office for Information Security (BSI) is also still issuing an impressive warning about the malware and expects losses in the millions. The malware was first discovered as a banking Trojan in 2014. Since then, it has developed into a general-purpose weapon for cybercrime. The hacker collective responsible for it has continued to develop Emotet, which means that the current version is very mature. In addition, the criminals use packers to mask the malware faster and faster and put new versions into circulation. Security experts at G DATA have already counted more than 33,000 versions of Emotet in the first half of 2019 - a significant increase over the previous year.
“Emotet actually only functions as a door opener, which then installs additional malware on the computer,” explains Anton Wendel, Security Engineer at G DATA Advanced Analytics. “However, the initial spam emails look very authentic, so many users regard them as genuine and open the infected attachment.”
It happens by clicking on an email attachment. The trigger that sets off the actual infection is usually the enabling of macros in Office documents. What then follows usually happens silently in the background - and completely unnoticed. Being an information stealer, Emotet reads all passwords, emails and email addresses. It dives deep into the contact history and, for example, uses content from emails to then send out spam emails to infect other devices. The fake emails thus refer to real business transactions, which encourages the spreading of the malware. In addition to this spam module, Emotet also has a worm module which it can use to autonomously distribute itself over the network. For example, it can implant itself on other computers in a company network without other users having to click on any attachments and activate it. To do so, Emotet carries out a brute force attack using known standard passwords such as “12345”, “password” and the like. The attack is particularly effective if the malware infects an admin profile with extensive access rights within the company network.
Emotet is also dangerous because it loads malware as well when a computer is infected. This differs from region to region. In Germany, TrickBot, a much more aggressive banking Trojan, currently follows the initial Emotet infection. Its speciality is that the cyber gangsters can read off payment information so that they are very well informed about the company's solvency. The information gleaned during this phase is then used in the subsequent ransomware attack. Recently, the ransom demand for Emotet attacks has been based on turnover – an indicator that the perpetrators are very well aware of their victim’s financial situation so they can adjust their demands to what their target can “afford” to pay. According to information from the BSI, typical demands go far beyond the usual demands of several hundred to one thousand euros - 30,000 to 100,000 euros are no longer uncommon.
With knowledge of the solvency of the business and extensive control over the IT infrastructure, it is time for the final step of the attack. The attackers use Trickbot to gain access to the company network and then manually deploy the ransomware - mainly encryption software called Ryuk at the moment. What then happens is any company’s worst nightmare - Ryuk targets and encrypts business-critical data. If Ryuk manages to access any existing backups, then those are are simply deleted.
“While Emotet’s and Trickbot’s potential for harm sometimes remains undetected for months, Ryuk reveals itself quite quickly,” says Wendel. “When the ransom note pops up, it's too late.”
Companies are now under great pressure and facing the key question: should they pay a ransom or not? Very few companies are capable of working without functioning IT. So every minute of downtime costs the company real money. The very existence of a company is quickly put under threat if it is not able to function for several days. But paying a ransom is no guarantee of getting your data back. Anyone who has backed up data to external storage devices outside the network is a small step ahead of the criminals. They can use this data and work with it. The attempt at blackmail is futile.
“Attempts at cleaning up the infection are often unsuccessful. There is a very real risk of parts of the malware remaining on the system unnoticed,” warns Wendel. “Working with data recovery experts is highly recommended.”
Specialists such as the analysts at G DATA Advanced Analytics can do much more than recover data. Once a system has been infected, it should basically be regarded as completely compromised. It will have to be completely rebuilt to rule out a new infection. At the same time, the experts also check which vulnerability the malware was able to use in order to to penetrate the system and provide guidance to close it. They also have the necessary expertise to identify ransomware and restore systems - without paying any ransom.
These days, the hacker collective around Emotet is relatively quiet. The number of new Trojan versions discovered every day has decreased significantly since the beginning of June. “Even though the Emotet botnets we know of are currently quiet, the danger has not yet been averted,” warns Anton Wendel. “Right now the collective is probably performing maintenance work on the network or improving the malware core. So it could well be the proverbial calm before the storm.”