SK-CERT warns – EMOTET is on the rise again

The National Cyber Security Centre SK-CERT has recently detected an increase in the spread of malware from the EMOTET campaign in the European as well as the Slovak cyberspace.

Malwares from the EMOTET campaign attempt to infiltrate into your computer, steal sensitive and private information, encrypt your data and demand a ransom, as well as spread spam and malicious software.

The EMOTET malware attack currently affects everyone – from individuals through small to large organizations. EMOTET is one of the most destructive malware currently known, as it uses many different options for its distribution.

How the EMOTET campaign runs

The EMOTET campaign is a series of multiple attacks that usually begin with an infection through a phishing e-mail with a malicious attachment. After the initial infection, an attacker installs TrickBot malware, which is often used to steal data. The final stage is the installation of the Ryuk ransomware, which encrypts selected files on devices and demands a Bitcoin payment. The amount varies from one to 99 Bitcoin (this week the value of Bitcoin is around 9 000 EUR) and the attacker will determine it according to economic possibilities of the victim[1]. Ryuk is a ransomware, derived from a popular ransomware Hermes. It has several notable attributes, including a relatively high demand for ransom from large organizations[2], but as mentioned above, after its growing association with EMOTET and TrickBot, the amount of ransom may vary.

EMOTET is primarily disseminated through a credible-looking message from an organization, calling your attention to a variable range of incentives – from an outstanding invoice to new rules concerning the spread of Covid-19. The infection is then performed through malicious scripts, macro-enabled documents, or other malicious content. E-mails may appear legitimate and often encourage you to open a message immediately without verification. After infection, EMOTET scans your contact list and sends other phishing e-mails. Since the e-mail comes from a legitimate sender, recipients (usually the family, friends and colleagues) are more likely to open it.

EMOTET uses Command and Control servers to receive updates. It works just as the operating system updates and can be easily accessed without the user’s knowledge. This allows attackers to install not only updated versions of malware, but also other malicious software.

There are several analyses linking Ryuk’s ransomware campaign to North Korean attackers[3]. These connections are based on the similarities between Ryuk and Hermes ransomware, which uses APT38 (Lazarus Group)[4], and less on the methodology used in the past for attacks by North Korea[5]. However, these similarities are not sufficient to conclude who is behind the attacks. 

How to protect yourself?

The National Cyber Security Centre SK-CERT recommends to all users as well as organizations the following:

  • Keep your devices updated. TrickBot malware, which is installed in the infected device through EMOTET malware, often relies on current and older vulnerabilities[6], including the EternalBlue vulnerability (the most serious vulnerability used in attacks attributed to North Korea – Wannacry[7]).
  • Follow the basic principles of cyber-hygiene or instruct your employees as follows:
  • Do not open unverified messages or messages from unknown users,
  • Do not open suspicious attachments (even in formats known to you such as .pdf / .docx and others),
  • Disable enabling macros in documents,
  • Do not open suspicious URL links,
  • If you use e-mail applications, turn off the attachment preview feature,
  • In case of suspicion, verify the content of the message with the sender in another form (by phone or in person),
  • Never respond to messages asking for any personal and sensitive data (login names, passwords or information on payment means),
  • Back up your data regularly.









« Späť na zoznam