There is potential for increased ransomware attacks due to new Emotet samples spreading through Trickbot, according to Check Point Research.
CPR estimates 140,000 victims have been vulnerable to Trickbot, across 149 countries in only 10 months despite Emotet's takedown by law enforcement. Trickbot's top industry targets are government, finance and then manufacturing.
Following international law enforcement action coordinated by Europol and Eurojust in early 2021, which resulted in the take down of the Emotet infrastructure and arrest of two individuals, on November 15 2021, Trickbot infected machines started to drop Emotet samples by promoting users to download password protect zip files, containing malicious documents that are rebuilding Emotet's botnet network.
CPR sees samples of Emotet fast-spreading through surges in Trickbot activity, indicating potential for increased ransomware attacks. Once described as the ‘world's most dangerous malware', Emotet provides threat actors with a backdoor into compromised machines, which could be leased out to ransomware gang to use for their own campaigns.
Almost one third of all Trickbot targets are located in Portugal and USA, while victims from high profile industries constitute more than 50% of all the victims.
“Emotet was the strongest botnet in the history of cybercrime with a rich infection base," says Lotem Finkelstein, head of threat intelligence at Check Point Software.
"Now, Emotet has resold its infection base to other threat actors to spread their malware; and most of the time, it's been to ransomware gang," he says.
"Emotet's comeback is a major warning sign for yet another surge in ransomware attacks as go into 2022.
"Trickbot, who has always collaborated with Emotet, is facilitating Emotet's comeback by dropping it on infected victims," Finkelstein says.
"This has allowed Emotet to start from a very firm position, and not from scratch. In only two weeks, Emotet became the 7th most popular malware, as see in our recent Most Wanted Malware List.
"Emotet is our best indicator for future ransomware attacks. We should treat Emotet and Trickbot infections like they are ransomware. Otherwise, it is only a matter of time before we have to deal with an actual ransomware attack.
First identified in 2014, Emotet has been regularly updated by its developers to maintain its effectiveness for malicious activity. The Department of Homeland Security has estimated that each incident involving Emotet costs organisations upwards of $1 million dollars to rectify.
"Emotet is one of the most costly and destructive malware variants ever seen, so the joint effort made by law enforcement agencies to take it down was essential, and a huge achievement," says Maya Horowitz, director, threat intelligence - research, products at Check Point.
"However, new threats will inevitably emerge to replace it, so organisations still need to ensure robust security systems in place to prevent their networks being compromised," she says.
"As always, comprehensive training for employees is crucial, so they are able to identify the types of malicious emails which spread stealthy trojans and bots."