The recent takedown of one of the world’s most prolific botnets should make the cyberworld much safer, but analysts warn that organizations must remain vigilant. Given Emotet’s remarkable resilience over the years, we may not have seen the last of the notorious malware and botnet.
Emotet emerged in 2014 as a banking trojan, but its operators updated and reconfigured it repeatedly over the years. In its latest incarnation as a for-hire email spamming botnet, it served as a platform for the mass distribution of ransomware and other types of malware. Department of Justice officials say it has been particularly active since the onset of the pandemic, infecting more than 1.6 million computers and causing hundreds of millions of dollars in damage since April 2020.
In January, however, law enforcement agencies from the U.S., U.K, Canada, France, Germany, Lithuania, the Netherlands and Ukraine were able to disrupt Emotet’s command-and-control infrastructure after gaining access to several hundred servers worldwide. Officials are now using that infrastructure to distribute a module to all infected devices that will uninstall the malware on April 25.
Although authorities believe they have effectively shut down the Emotet network, they also acknowledge that the botnet’s operators will likely try to reestablish operations in the near future with a modified form of the malware.
One of the things that makes authorities fear an Emotet comeback is that it is a polymorphic malware, capable of continually changing its base code and other identifiable characteristics to conceal itself from traditional antivirus and antimalware programs. It is also modular, meaning components can be swapped in and out depending on what an attacker wants to achieve.
Some variants act as ransomware, others as banking trojans and others as bot recruiters. Worm-like characteristics allow Emotet to rapidly spread through a network once a connected machine is infected.
Even if Emotet is gone for good, you can be sure that other bot herders will step up to provide malware distribution channels for malicious actors. Trickbot, ZLoader and BazarLoader have been among the other active malware-as-a-service providers. Federal cybersecurity experts recommend that organizations take the following precautions to minimize their risk:
- Implement awareness training to educate employees about how to identify social engineering and phishing scams. Training programs should emphasize three essential practices — don't open emails from senders you don't recognize, don’t click on email links if you aren’t certain they’re legitimate, and don’t open email attachments unless they are expected and come from a trusted source.
- Establish firewall rules to restrict inbound communications using the Server Message Block file-sharing protocol. Threat actors frequently use this protocol to access network resources, spread malware, and steal or alter data.
- Use antimalware programs on all servers and endpoint devices and apply updates and security patches in a timely manner.
- Implement filters at the email gateway to block or quarantine suspicious messages before they are delivered to their intended recipient. Filters analyze emails against dynamic databases of blacklisted URLs, flagged keywords and other characteristics.
- Block attachments with extensions such as .dll or .exe that are commonly associated with malware, as well as attachments such as .zip files that cannot be scanned by antivirus software.
- Enforce least-privilege access principles that ensure users have the minimum level of access required to accomplish their duties. Least-privilege access can prevent attackers from installing and executing malware and moving laterally through the network.
- Use DMARC, the email authentication protocol that minimizes spam by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
The Emotet takedown will have an immediate impact on cybersecurity by eliminating one of the major delivery mechanisms for ransomware and other malicious spam. However, you can bet that cybercriminals will still find ways to launch attacks. Give us a call to discuss ways to boost your security posture.