Emotet is a form of banking malware that was first discovered in 2014. Like many other forms of malware, its main objective is to extract sensitive information from the victim’s computer. However, unlike other forms of malware, Emotet is able to evade most anti-virus products.
Hewlett-Packard reported a 1200% increase in the number of attacks using the Emotet Trojan, supporting a surge in ransomware campaigns. The Department of Homeland Security has referred to Emotet as one of the most prevalent ongoing threats, as it increasingly targets state and local governments, as well individuals and organizations.
What Is Emotet?
Emotet can arrive in the form of a malicious script, link or macro-enabled document files, and recent versions of Emotet can retrieve the payload from command and control (C&C) servers. The use of C&C servers enable it to install updated versions of the virus, as well dump stolen information such as credit card numbers, email addresses, and so on.
Emotet emails typically use familiar branding to trick the users into thinking that it is from a legitimate organization, such as the IRS, The Bank of America, AT&T or Wells Fargo. The emails use subjects such as “Account Alert”, “Invoice” and “Automatic Billing Message”. In some cases, it uses a more sophisticated technique called “email conversation thread hijacking”, which is where the malware hijacks existing email conversations to infect the recipient, since the recipient already trusts the sender.
How Does Emotet Spread?
Emotet has worm-like capabilities that enable it to spread to other connected computers and nearby Wi-Fi networks by stealing admin passwords. Emotet is a form of polymorphic malware, as it is able to constantly change its identifiable features in order to evade detection. For example, if it finds itself running inside a virtual machine (VM) or a sandbox environment, it can adapt accordingly, which might include lying dormant to avoid detection.
Emotet will often install an additional (and arguably more advanced) banking Trojan called TrickBot, which specifically targets Windows machines. TrickBot uses the Mimikatz tool to exploit the Windows EternalBlue vulnerability. To add to the mess, TrickBot is often used as the initial entry point for Ryuk ransomware, which is specifically designed to target enterprise environments.
How Can I Protect Myself from Emotet?
The obvious first step you can take to protect yourself from Emotet malware is to educate yourself about what it is and how it works. Of course, protecting your systems from malware is a monumental task, and a complete breakdown of how this should be done is beyond the scope of this article. Instead, below are the three most important points that should be taken into consideration, to help minimize the chance of infection.
1. Make sure that all connected devices are up-to-date and have the latest patches installed. While there are strains of Emotet that target Mac OS, it is more common for them to target Microsoft Windows, as it is more widely adopted. As mentioned above, TrickBot will try to steal credentials by exploiting the Windows EternalBlue vulnerability. As such, it is crucially important to patch this vulnerability before cybercriminals can take advantage of it.
2. Make sure that your employees are sufficiently trained to identify suspicious email links and attachments. However, as mentioned previously, Emotet will often try to hijack existing email conversations, which means that training staff to identify suspicious emails might not be very effective. Ideally, users should be notified when an email is sent from their account.
This could be done either via SMS or by redirecting sent mail to an alternative email address, which they can be notified of. If the “sender” doesn’t recognize the message, they can warn the recipient accordingly.
We could even take this a step further and automate a response. However, given that there isn’t a formal solution available which notifies users of sent emails (or at least one that I know of), your best bet is to configure a real-time change auditing solution to monitor sent emails and send notifications to your phone or email address.
3. As always, you must ensure that you have a strong password policy in place. This should go without saying, however, many employees still use easy-to-guess passwords and use the same password across multiple platforms. And of course, it’s a good idea to use multi-factor authentication where possible.
Another important aspect of security is being able to ensure that you can detect the spread of ransomware in your environment and take immediate steps to shut it down. Doing this without the aid of a solution is near impossible due to the sophistication and efficacy of modern malware.
The Lepide Data Security Platform does the hard work for you, auditing, monitoring and alerting whenever the symptoms of malware are shown in your environment. With automated threat response, you can execute reactions to ransomware that shut down the threat with immediate effect.