What measures have you taken to protect your organization against Emotet malware campaigns? We wish we could assure you otherwise, but your antivirus software, antispyware, and firewalls simply aren’t enough to safeguard you.
What Is Emotet?
Emotet is a trojan that was first designed to steal banking credentials, but it has grown to a cyberthreat of epidemic proportions. ZDNet reported on May 29, 2019, that “Emotet accounts for almost two-thirds of payloads delivered by email during the start of 2019, as the malware continues to plague businesses and individuals around the world.”
The threat actor behind this sophisticated malware has turned Emotet into crimeware for sale on the dark web. Essentially, teams of highly skilled cybercriminals can purchase it as an attack framework and then design and deploy their own phishing campaigns.
As a result, Emotet has become “among the most costly and destructive malware” to affect businesses, organizations, and even municipal governments, according to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA).
How Does Emotet Work?
How does Emotet make it into your environment?
Emotet campaigns are delivered via emails from fraudulent organizations asking users to download a link or open a malicious attachment.
But don’t assume that these phishing emails are easy to spot. Attackers are continually evolving their methods to deceptively customize their campaigns—carefully branding them to look like partner vendors your organization regularly does business with.
In fact, the Canadian Centre for Cyber Security, the Government of Canada’s official cybersecurity department, warns us in their 2018 report that “cyber threat actors use specific social engineering techniques against businesses.” Often the campaigns are “aimed specifically at senior executives or other high-profile recipients with privileged access to company resources” (17).
For example, the spam email may notify you about a supposed shipment, ask you to verify account information, or request payment for an invoice.
Once you open that malspam link or attachment, cybercriminals begin to swiftly and quietly rob you of private information using automated but incredibly resourceful means. Emotet then spreads rapidly to other systems across the network, allowing the imposter entity to steal all kinds of private and valuable data.
In short, threat actors use Emotet to deploy the malware and:
- Steal your credentials
- Send that data back to the threat actor via secured channels
- Discover the network for additional victims
- Infect and move laterally
- Rinse and repeat
Worse yet, attackers also use Emotet to deploy automated ransomware to extort money from companies and organizations. This tactic can be financially devastating—and cybercriminals can carry it out with surprising ease, as highlighted in the same 2018 report by the Canadian Centre for Cyber Security (13).
In fact, the report states that out of the nearly 2,000 Canadians who answered the 2017-2018 Canadian Internet Registration Authority Survey, 19 percent said they had been hit by ransomware. That’s nearly one in five.
Why Is Protecting Against Emotet So Challenging?
Emotet evades average threat detection because of its wormlike properties. It is polymorphic, bypassing signature-based detection. It’s capable of updating itself, changing its “ID” each time it performs an action, allowing it to always be steps ahead and cover its tracks.
So, unfortunately, relying on even the most seasoned IT team to hold down the fort in a corporate context may not be enough.
What Can You Do?
A crucial thing to note about Emotet is that it requires an action on your part to let it in. Rather than trying to do something like bypass your firewall (which prevents malicious traffic from coming in), it entices the user to interact with it and thus grant it direct access.
Informed awareness among users is key, because when it comes to Emotet, the user is the first line of defense against it. Therefore, informed awareness is key. Ensure that every employee in your organization:
- is educated about Emotet and its dangers
- learns how to recognize more deceptively crafted malspam
- knows they must never click or download anything even remotely suspicious
All the basic precautions, like two-factor authentication, are essential. But with the threat landscape evolving so quickly, the Canadian government warns that Canadian “businesses of all sizes” remain more vulnerable than they realize.
Fortifying Your Cybersecurity
You can fortify your cybersecurity by investing in proactive, comprehensive threat detection and continuous monitoring.
Here’s how we would tackle Emotet. At ElevatedPrompt we continually track the latest Emotet campaigns and analyze what post-infection looks like:
- When spam comes in, we see the antispam catching it (at which point it may or may not be delivered to the end user).
- We take the email and the malicious attachment or link and isolate it by running and monitoring it in a controlled environment so that we can thoroughly investigate what it does, what infrastructure it is using, and how it is sending that private information back to the attacker.
- We then use the intelligence data we have identified as a feedback loop to determine whether infection or compromise has taken place.
All this investigative information builds and expands our threat intelligence and knowledge base about the tactics, techniques, and procedures (TTP) of attackers. And in the event of infection, we also provide incident-response service.
Our thorough investigation, informed analysis, and comprehensive threat intelligence can be part of your arsenal to combat Emotet and other destructive cyberthreats.
With ElevatedPrompt, you’ll get direct tactical and strategic advice that is 100% actionable. We’re here to complement your business’s existing safeguard technologies and resources, and provide effective threat detection and response.
Let us take care of security, so you can focus on business.