What is Emotet?
Emotet is computer malware that was originally developed in the form of a so-called banking Trojan. The aim was to penetrate other people's devices and spy out sensitive private data. Emotet is able to fool and hide from common antivirus programs. Once the device is infected, the malware spreads like a computer worm and tries to infiltrate other computers in the network.
Emotet is spread mainly through spam emails. The email contains a malicious link or an infected document containing activated macros. If you download the document or open the link, more malware is automatically downloaded onto your computer. The emails look very authentic.
The term Emotet
Emotet was first detected in 2014 when customers of German and Austrian banks were affected by the Trojan. Emotet had gained access to the customers' login data. In the years that followed, the malware was able to spread worldwide.
Since then, Emotet has developed from a banking Trojan into a dropper, which means that the Trojan loads malware. This malware is then responsible for the actual damage to the system. In most cases the following programs are involved:
- Trickbot: A banking Trojan that tries to gain access to login data for bank accounts.
- Ryuk: An encryption Trojan – also known as a crypto Trojan or ransomware – encrypts data, and by doing so prevents the computer user from accessing that data, or locks the entire system.
The goal of the cybercriminals behind Emotet is often to extort money from their victims. For example, they threaten to publish the encrypted data or never release it again. Usually, Emotet refers to the complete process of infection, additional download of the malware and its distribution.
Who is targeted by Emotet?
Private individuals, companies, organizations and public authorities. In 2018, the Fürstenfeldbruck clinical center had to shut down 450 computers and log off from the emergency coordination center after being infected with Emotet. In September 2019, for example, the Berlin Court of Appeals, the Kammergericht, was affected, followed by the University of Giessen in December 2019.
The Hanover Medical School and the city administration of Frankfurt am Main were also infected by Emotet. The number of companies affected is estimated to be much higher. It is assumed that many infected companies do not want to report an infection for fear of their reputation and of further attacks.
While in the early days of Emotet it was mainly companies that were targeted, the Trojan now primarily targets private individuals.
Which devices are at risk from Emotet?
Initially, infection with Emotet was only detected on more modern versions of Microsoft's Windows operating system. However, in early 2019 it was revealed that computers made by Apple were also affected by Emotet. The perpetrators lured users into a trap with a fake email from Apple support, claiming that the company had "restricted access to your customer account." The email also told users that they should follow a link to prevent deactivation and deletion of certain Apple services.
How the Emotet Trojan spreads
Emotet is mainly spread via so-called Outlook harvesting. The Trojan reads emails of already affected users and creates deceptively genuine content. These emails appear authentic and personal, and so they stand out from ordinary spam emails. Emotet forwards these phishing emails to saved contacts, i.e., friends, family members, work colleagues or your boss.
The emails usually contain an infected Word document that needs to be downloaded, or a dangerous link. The correct name is always displayed as the sender. The recipients are thus lulled into a false sense of security as everything looks like a normal, personal email from you and they are therefore most likely to click on the dangerous link or the infected attachment.
Emotet can spread further once it has access to a network. In doing so it tries to use the brute-force method to crack passwords to your accounts. Other ways in which Emotet has spread include the EternalBlue security flaw and the DoublePulsar vulnerability in Windows, which allowed malware to be installed without human intervention. In 2017, the WannaCry extortion Trojan was able to utilize the EternalBlue exploit for a serious cyberattack and wreak havoc.
Emotet: Malware infrastructure smashed
At the end of January 2021, the General Public Prosecutor's Office in Frankfurt am Main – the central office for combating internet criminality (CIT) – and the Federal Criminal Office (FCO) announced that the Emotet infrastructure had been "taken over and smashed" as part of a concerted international effort. Law enforcement agencies from Germany, the Netherlands, Ukraine, France and Lithuania, as well as the UK, Canada and the US, were involved in the operation.
The agencies claim they were able to deactivate more than 100 servers of the Emotet infrastructure, 17 of them in Germany alone. These represented the beginning of the trail. The FCO had gathered data and, after further analysis, located further servers throughout Europe.
According to the FCO, the infrastructure of the Emotet malware was smashed and rendered harmless. The authorities in Ukraine were able to take over the infrastructure, and also seize several computers, hard drives, money and gold bars. The entire operation was coordinated by Europol and Eurojust, the EU agency for judicial cooperation in criminal matters.
By taking control of Emotet's infrastructure, the authorities were able to render the malware on the affected German victim systems unusable for the perpetrators. To prevent them from regaining control, the task forces quarantined the malware on the affected victim systems. In addition, they adjusted the communication parameters of the software so that it could communicate with a specially set up infrastructure solely to preserve evidence. In the process, the authorities obtained information about the affected victim systems, such as public IP addresses. These were transmitted to the BSI.
Who is behind Emotet?
The Federal Office for Information Security (FIS) believes that "the developers of Emotet sublet their software and infrastructure to third parties." They in turn relied on further malware to pursue their own goals. The BSI is of the opinion that the criminals' motives are of a financial nature and that cybercrime is the issue rather than espionage.
No one seems to have an answer to the question of who is behind it. The rumors are that it originates from Russia or Eastern Europe, but there is no serious evidence to back this up.
Emotet: Highly destructive malware
The US Department of Homeland Security concluded that Emotet is a particularly costly piece of software with enormous destructive power. The cost of the clean-up is estimated at around one million US dollars per incident. It is for this reason that Arne Schönbohm, head of the Federal Office for Information Security (FIS), calls Emotet the "king of malware."
Emotet is undoubtedly one of the most complex and dangerous malware programs in history. The malware is polymorphic, which means that its code changes slightly each time it is accessed. This makes it difficult for antivirus software to identify the malware, as many antivirus programs perform signature-based searches. In February 2020, security researchers from Binary Search discovered that Emotet now also attacks Wi-Fi networks. If an infected device is connected to a wireless network, Emotet scans all wireless networks nearby. With the help of a password list, the malware then tries to gain access to the networks and thus infect other devices.
Cybercriminals like to exploit fears among the population. It is therefore not surprising that the fear of COVID-19, which has been circulating worldwide since December 2019, is also being exploited by Emotet. The cybercriminals behind the Trojan often spoof emails claiming to provide information about COVID-19 and educate the population. If you discover such an email in your inbox, be especially careful with any attachments or links in the message!
How can I protect myself from Emotet?
When it comes to protection against Emotet and other Trojans, it is not enough to rely solely on antivirus programs. After all, just detecting the polymorphic malware is only the first problem for end users. Quite simply, there is no solution that offers 100% protection against Emotet or any other changeable Trojan. Precautionary organizational and technical measures alone can minimize the risk of infection. These are the precautions that you should take to protect yourself against Emotet:
- Stay up to date! Keep yourself regularly informed about developments concerning the topic of Emotet. There are several ways to do this, such as the BSI newsletter, our newsletter from Kaspersky, or by doing your own research.
- Security updates: Be sure to install updates provided by manufacturers as soon as possible to eliminate possible security vulnerabilities. This applies to operating systems such as Windows and macOS, as well as any application programs, browsers, browser add-ons, email clients, Office programs and PDF programs.
- Antivirus software: Be sure to install an antivirus program such as Kaspersky Internet Security and have it scan your computer regularly for vulnerabilities. This will give you the best possible protection against the latest viruses, spyware and other online threats.
- Do not download dubious attachments from emails or click on suspicious links. If you're unsure whether an email is fake, don't take any risks – contact the person that supposedly sent it! If you are asked to allow the execution of a macro when downloading a file, do not do so under any circumstances. Instead, delete the file immediately. In this way you don't give Emotet a chance to get onto your computer in the first place.
- Backups: Back up your data regularly on an external data carrier. In the event of an infection, you will always have a backup to fall back on and will not have lost all the data on your PC.
- Passwords: Use only strong passwords for all logins (online banking, email account, online trading). In other words, don't use the name of your first dog, but rather a random arrangement of letters, numbers and special characters. You can either come up with these yourself or have them generated using programs such as password managers. In addition, many programs now provide the option of two-factor authentication.
- File extensions: Ensure that file extensions are displayed on your computer by default. This will help you to recognize dubious files such as "Vacation snap123.jpg.exe."
How can I remove Emotet?
First and foremost: Do not panic if you suspect your PC may be infected with Emotet! Inform those around you about the infection, as your email contacts and other devices connected to your network are also potentially at risk.
Next, be sure to isolate your computer if it is connected to a network to reduce the risk of Emotet spreading. You should then change all access data to your accounts, i.e., email accounts, web browsers, etc.
As the Emotet malware is polymorphic and its code always changes slightly each time it is accessed, a cleaned computer can quickly be reinfected as soon as it is connected to an infected network. You must therefore clean all computers connected to your network one after the other. Use an antivirus program to do this. You can also contact a specialist, such as the provider of your antivirus software.
EmoCheck: Does the tool really help against Emotet?
The Japanese CERT (Computer Emergency Response Team) has published the tool EmoCheck, which you can use to check your computer for infection by Emotet. Tip: Use the tool to detect a possible infection by known versions of Emotet. However, be careful! As Emotet is polymorphic, even EmoCheck cannot guarantee with 100% certainty that your computer is not infected. EmoCheck uses a method of recognizing characteristic character strings and thus warns you of the Trojan. However, the changeability of the malware means there is no guarantee your computer is really clean.
A summary of Emotet
The Emotet Trojan horse is one of the most dangerous malware programs in IT history. Everyone is affected: private individuals, companies and even public authorities. Once the Trojan has infiltrated the system, it loads other malware that spies out access credentials and encrypts data. Often, the victims of the malware are blackmailed with ransom payments to get their data back. Unfortunately, there is no solution that provides 100% protection against an infection by Emotet. However, by taking various measures you can keep the risk of infection low. If you suspect that your computer is infected with Emotet, you should initiate the above measures to clean your computer of Emotet.
Kaspersky Internet Security received two AV-TEST awards for the best performance & protection for an internet security product in 2021. In all tests Kaspersky Internet Security showed outstanding performance and protection against cyberthreats.
These security solutions offer protection against Trojans, viruses and ransomware: