Infamous botnet Emotet has returned after being taken offline in an international law enforcement sting in January. The timing of its return is significant for CISOs and CIOs with the Christmas period approaching, as public holidays are a particularly fruitful time for ransomware criminals.
Though it has been offline since the beginning of the year, security researchers have noticed new activity from Emotet in recent days, suggesting the gang behind the botnet is ready to bring it back.
Maintaining awareness of any suspicious access is crucial to combating Emotet, experts told Tech Monitor, because once the malware is in a system it becomes more difficult to neutralise.
What is Emotet and why is it dangerous?
First identified in 2014, Emotet is a banking trojan that was originally designed as banking malware. Now Emotet is famed for its massive botnet, a network of bots that provides access to systems, allowing hackers to launch secondary trojans or DDOS attacks. The Emotet botnet sent out as many as 250,000 phishing emails in July of 2020 alone, according to a report from Heimdal Security.
Emotet was taken down by an international policing operation spearheaded by Europol in January of this year when more than 200 servers were seized. At the time, some cybersecurity experts were hopeful Emotet was gone for good, while others were sceptical that the botnet would go offline permanently.
Emotet botnet returns: why is the timing significant?
The timing of Emotet’s return, ahead of the Christmas holiday season, may be significant, argues Steve Forbes, head of product at security company Nominet. “Around seasonal holidays and things like that where there are people on holiday their guard may be down,” he says. “It’s prime time for cybercriminals because they know there is ideal opportunity to get through the net and have the maximum impact on these organisations.” Forbes adds that victims are more likely to pay any ransom demand that emerges during a holiday period. “If their people are on holiday or on leave, there is a high chance that they might pay the ransom just to get back up and running,” he says.
Emotet has form for using the Christmas holidays to maximise its attack vector. According to a report released by Cyren Security, during the winter of 2018 Emotet designed malware targeting last-minute Amazon shoppers. The shoppers would receive a convincing fake email, seemingly from Amazon, that would convince the victim to download some macro code. From here Emotet could either choose to steal information or drop malware onto the victimised machine.
Emotet botnet returns: what should we expect from Emotet in future?
Despite its takedown in January 2021, the return of Emotet is not a surprise for Chris Morgan, senior cyber threat intelligence analyst at cybersecurity company Digital Shadows. “The return of Emotet was highly predictable, with the only surprise being that the comeback took this long,” he says. “With Emotet removed, a vacuum was created which was quickly filled by several alternate malware, which included Dridex, Qakbot, and IcedID.” While these have provided a useful stopgap for cybercriminals, Morgan says, they lack the overall functionality of Emotet.
It is likely, Morgan says, that the threat actors behind Emotet were persuaded to resurrect the botnet by Conti, a hacking group that has worked closely with Emotet in the past. Morgan expects their partnership to be rekindled. “It has been reported that the Conti ransomware gang – which is believed to have rebranded from the Ryuk group – persuaded Emotet’s developers to restart operations,” he says. “With the Emotet, Trickbot, and Ryuk trio commonly observed being used to great effect during Ryuk’s operations, it is almost certain that Conti will return to using Emotet as a tried-and-tested method of gaining initial access to targeted networks.”
Forbes agrees, though stresses there is no evidence yet of the gangs working together. “You would think that in this type of operation where they’ve got a common enemy, then you would expect them to be collaborating together in some way and also trying to make sure they don’t step on each other’s toes,” he says.
Cybercriminals implementing ransomware prefer to use a sophisticated botnet as an initial access broker because it’s easier and more efficient. This doesn’t mean that criminal gangs could not operate without Emotet, but it does mean that operations will be more streamlined with their presence back on the scene.
Due to this sophistication, CIOs and CISOs should be on high alert for signs of infiltration within the system, rather than the ransomware itself, adds Forbes. “The thing you probably need to look out for is what might suggest that your network has been infiltrated before they get to the ransomware bit because, by the time you’re against the ransomware beast, it is too late,” he says.