In January, an international group of law-enforcement agencies took down Emotet, the world’s top malware. Authorities took over its command-and-control servers and installed a kill switch that will automatically uninstall the malware on April 25.
This is good news. Emotet infections can cost up to $1 million per incident to remediate, according to the US Cybersecurity and Infrastructure Security Agency. But it doesn't mean data center security managers can sit back, relax, and let the kill switch do its work.
Once it embeds itself in a system, Emotet becomes a vector for additional infections. It opens doors on an enterprise network for other malware to walk through. It’s also a worm, so it will try to spread as far and wide as it can.
Now, while the command-and-control servers are down, is the perfect time for security teams to conduct full forensics sweeps, identify any instances of the malware in their systems, trace and shutdown the pathway it used to get into the systems, and track what else it installed and where else it managed to spread.
"After the 25th [of April] you won't have the evidence that Emotet was there," Etay Maor, cybersecurity professor at Boston College and senior director of security strategy at Cato Networks, told DCK. "But you might still be exposed because there might be other malware in your systems."
What Is Emotet?
Emotet first popped up in 2014, when it was just a simple banking trojan. But it grew and evolved, becoming a key part of the “malware-as-a-service” ecosystem. Major cybercriminal groups piggybacked on the Emotet botnet infrastructure to spread their own malware, including ransomware.
"It brought in all its friends," said Maor. "Whoever paid for the malware-as-a-service was able to get their malware on millions of devices."
Emotet was also particularly good at evading defenses, including sandboxes. And, it was polymorphic. It changed automatically and constantly, evading signature-based antivirus defenses.
That's not to say that antivirus software or sandboxes are useless against malware, Maor said. "Just make sure you have network-based defenses as well. We need to up our game when it comes to detection."
Emotet infections were frequently overlooked as less critical, Adam Meyers, VP of intelligence at CrowdStrike, told us. "Many organizations ignored it for months, or years."
Emotet was the biggest malware out there last fall, hitting the first place in September, October. It took first place in December, too, when a holiday spam campaign targeted more than 100,000 users a day and impacted 7 percent of organizations globally, according to Check Point, (Trickbot was in second place with 4 percent of organizations.)
Overall, nearly 20 percent of all organizations were affected by Emotet in 2020, Check Point said – twice as many as the second most common malware, Agent Tesla.
More than 1.6 million computer systems have been infected by Emotet, and the malware has caused hundreds of millions of dollars in damage, according to the US Justice Department.
If not completely eradicated, Emotet could come back, like Trickbot did. The latter bounced back after being taken down by a coalition of tech companies in October. By February, Trickbot was the top malware, infecting 3 percent of organizations globally, Check Point said.
"Emotet hasn't been a run-of-the-mill … malware," Sam Curry, CSO at Cybereason, told us. "It became one of the biggest players on the global, cybercrime stage.”
It helped other cybercriminal operations, helping spread Trickbot and Ryuk (another damaging mailware strain), he said.
"Emotet really represented the start of cybercrime-as-a-service," Ric Longenecker, CISO at Open Systems, said. It may be down, but the cybercrime-as-a-service trend is only growing, he told us.
According to Longenecker, Open Systems detected a 57 percent increase in such outsourced attacks in the last 30 days.
On January 27, law enforcement in eight different countries, together with privacy security researchers, took down Emotet command-and-control servers from all over the world – 90 countries, in total, according to Ukrainian police. Two of the gang members were arrested as well, in Ukraine.
"Taking it down was a significant positive for law enforcement and definitely great news," Daniel Dobrygowski, head of governance and trust for the World Economic Forum Center for Cybersecurity, said. "It was a very effective operation in terms of intergovernmental cooperation and showcased the ability of law enforcement across borders to work together to take down these cyber actors."
The delayed shutdown is unusual, but it gives data centers time to determine if they've been impacted by Emotet, he said.
"The Dutch national police has in their investigation uncovered a database of compromised email addresses, usernames, and passwords and made it available," he said. "As part of the remediation, data center managers should go into that database to check if they were compromised."
Ukrainian police posted a video on YouTube of their take down. They confiscated computer equipment, passports, phones, cash, and gold bars. (Given all their cash, the gang should have been able to afford a nicer place.)
According to CISA, Emotet injects code into legitimate running processes, creates randomly-named files in system root directories, creates scheduled tasks and registry keys, and installs files with names that mimic those of known executables.
If a privileged user logs into an infected system, the malware spreads even faster. "It is essential that privileged accounts are not used to log in to compromised systems during remediation," CISA warned.
Talos Intelligence has a list of Emotet indicators of compromise here.
If an infected machine is discovered, CISA recommends the following steps:
- Shut down the infected machine and take it off the network
- Consider taking the whole network offline to stop Emotet's spread
- Reimage infected machines
- Reset passwords on all relevant systems, including applications that may have stored credentials on compromised machines
- Identify the infection source and review log files for additional infections from that source
- If it was a compromised email account, make sure there are no other compromises, such as auto-forward rules that could result in a data breach
Find out more about Emotet remediation here.
Prepare for the Future
Cybercriminals are paying attention to how Emotet was brought down, said Cato's Maor. Next time, it might be even harder.
"Emotet might come back, or it might come back in a different form. But they're not going to make the same mistakes again," he said. "We've already seen that malware like Zeus is peer-to-peer distributed, without a single command-and-control server."
Criminals might invent a new command-and-control system, he said, or put their servers somewhere where it's harder for the authorities to access them.
To prepare for the future, data center cybersecurity managers should be leveraging threat intelligence and actively engage in threat hunting in their environments, said Josh Smith, security analyst at Nuspire. Companies should also invest in next-generation antivirus that includes behavior analytics to help spot new malware variants that don't have existing signatures.