Emotet is back: How to stop ‘the most destructive malware’ in existence

After four months of silence, the Emotet banking trojan is back in business, terrorizing people and organisations across the globe.

The banking Trojan is considered “among the most costly and destructive [forms of] malware”, as it can strike in countless ways. Victims might be hit with ransomware, have their passwords or intellectual property stolen, or be used as conduits to other organisations.

Security researchers spotted a surge in Emotet attacks earlier this year, but after the botnet’s command and control servers were shut down in May, many thought it signalled the end – or at least a significant respite – from the malware. However, a new wave of attacks began on 16 September, sparking fresh concerns for people’s security.

Detecting Emotet can be incredibly tricky, because it’s a form of polymorphic malware, meaning it changes form as it worms from one computer to the next. That’s not to say it’s impossible to stay safe, though, as we explain in this blog.

What is Emotet?

Emotet was first identified in 2014 as banking malware that attempted to infect victims’ computers and steal sensitive information.

It’s evolved over the years to include spamming and malware-delivery services, but its process is essentially the same. It’s mostly spread by email via infected attachments and embedded URLs.

The malware takes advantage of weak admin passwords and system vulnerabilities to distribute itself on the computer network. If it fails to gain admin privileges on the infected machine, it runs itself through other system processes.

Once on the device, it steals user credentials, card details, and financial and banking information, and sends the data back to command-and-control servers (more than 500 of which have been identified worldwide) via cookies in HTTP requests.

Preventing an attack

Organisations’ first line of defence should be anti-malware technology that scans incoming emails. Office 365 Advanced Threat Protection, for example, should be capable of detecting malicious attachments and blocking them through its Safe Attachments feature.

However, because the email could be sent from an infected organisation, the malware could bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) checks.

We therefore recommend teaching employees how to spot malicious emails. This gives you added protection in case the emails end up in on users’ inboxes, because the malware can only take effect if the user clicks the attachment or URL.

Because Emotet is propagated in the same way as other malware, a general phishing staff awareness course will cover everything your employees need to know.

What to do when you’re infected

It’s possible for a malicious email to slip through and infect your organisation even if you have the strongest defences in place. That’s simply the nature of cyber security, as you can’t expect technology and humans to never make mistakes.

If you’re infected, you must immediately assess the scale of the damage. You might get lucky and find that the malware hasn’t yet spread beyond the initial infected computer, in which case you can simply disconnect it from the network and remove the malware.

However, the chances are you won’t be that lucky. If the infection has spread, you should, if possible:

  1. Shut down the whole network;
  2. Remove the malware;
  3. Harden the components; and
  4. Restore the network to operation.

If that’s not an option, you should create an isolated clean network and rebuild your old network in there. You can do this by deploying new machines or moving existing machines into the network after a ‘sheep dipping’ process and verifying that the machines being moved are clean.

Sheep dipping is where machines are removed from the network and scanned for traces of malware, disinfected, rescanned and then connected to the clean network.

Rescanning uses at least two antivirus products that are known to find the malware.

Want more advice on Emotet?

This blog is an abridged version of our free guide, Fighting the Emotet Trojan, which you can download for free from our website. It explains in more detail:

  • How Emotet spreads, and what makes the malware so disruptive;
  • The practical steps you can take to protect yourself from Emotet; and
  • How to remove Emotet from your network in the event of an infection.

emotet guide

A version of this blog was originally published on 29 May 2019.