16 September 2020
We are aware of reports of a significant spike in 'Emotet' incidents in September 2020, after lying dormant for the first half of the year. We provide an update below, following our reporting in late 2019.
See here for previous updates.
Emotet previously caused havoc between July and December 2019, plunging businesses into months-long attempts to recover from the impact of the malware. The recent resurgence is concerning with businesses at increased risk of experiencing a cyber incident due to Covid-19 market conditions and in particular, the increased risk of employees succumbing to phishing email campaigns while working from home.
It's important to take immediate action if you suspect Emotet has impacted your systems –we set out the action you can take below. Given the impact Emotet has had on Australian and New Zealand businesses, government agencies and the healthcare sector in particular, we hope that steps can be taken to contain the spread this time around.
What is Emotet?
Emotet is a sophisticated piece of malware typically spread via malicious emails attaching Microsoft Office attachments, usually Microsoft Word (.doc, .docx) and pdf documents (the same way Emotet spread in 2019).
An organisation will usually first become aware of the presence of Emotet if it identifies a large volume of emails being sent to employees and external stakeholders ('malspam'). These emails typically contain a snippet of previous email correspondence, which increases the chances of a recipient opening the email and clicking on the attachment.
Once a user clicks on the document, the malware is typically downloaded. Hundreds or thousands of emails (depending on the number of contacts in the mailbox) can be sent out in a short space of time once Emotet enters an organisation's system.
Immediate steps to take in response to Emotet
If you think you have an Emotet infection, the immediate priority is to contain the spread of the malware. Without immediate action you run the risk of the malware proliferating through your system. The broader risk is that the malware leverages your systems to filter into your clients' and stakeholders' systems, exposing your organisation to claims risk.
To limit Emotet's spread, it is critical that you take the following three immediate steps:
-
Immediately isolate affected machines from your network (and seek your IT provider's immediate assistance in doing so) and remove any ongoing persistence. Emotet malware can spread laterally through your network and download other malware, including ransomware, so it is imperative you isolate affected machines to stop the spread.
-
Assess the scope of the impact on your network including what information may be at risk.
-
Warn your employees and external stakeholders of the risk of receiving suspicious emails. It is critical that recipients do not interact with an Emotet email so your notification needs to clearly outline the risk and warn recipients not to click on any attachments or open any suspicious emails.
The Australian Cyber Security Centre (ACSC) and New Zealand's Computer Emergency Response Team (CERT) have previously prepared a number of resources for organisations to prevent Emotet from entering the network, as well as responding to any incident (see here for ACSC materials and here for CERT's materials).
Concurrently with isolating machines and notifying potential recipients of Emotet emails, organisations also need to consider the residual privacy implications of an Emotet incident – i.e. you will need to conduct an assessment into whether the incident amounts to an 'eligible data breach' under the Privacy Act.
Organisations should consider purchasing cyber insurance to gain access to specialty vendors with experience responding to this type of incident and to cover the associated response costs and potential liability exposure.
Where do you go for more information?
We commend the ACSC and DPC VIC for leading the national and regional response to this incident last time and providing real time updates on the impact to government agencies and the private sector.
The following sources provide information which may help you identify infected computers in your environment:
-
Japan CERT publishes a tool that you can use to check for emotet infection on a computer: https://github.com/JPCERTCC/EmoCheck
-
Check your egress network logs (http proxy, DNS logs) for any connection to known Emotet Command and Control (C2) hosts. A provider of lists of known malware C2 is Feodo Tracker: https://feodotracker.abuse.ch/browse
-
Urlhaus link as a feed of URLs associated with emotet: https://urlhaus.abuse.ch/browse/tag/emotet
-
Cryptolaemus group provides up to date information about Emotet including IOC here: https://paste.cryptolaemus.com
More information is available here:
-
https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks
-
https://thehackernews.com/2020/09/emotet-malware-attack.html
Additional resources from well-known security providers such as Crowdstrike, Carbon Black, Proofpoint, Malware Bytes, Sophos, and Symantec are available online.
For further information, please contact:
Sophie White, Associate, Clyde & Co
sophie.white@clyde.com