The Emotet Botnet is Back and Stronger Than Ever

The Emotet Botnet is Back and Stronger Than Ever

The Emotet Botnet, one of the most pervasive and destructive botnets in use today, first appeared in 2014. Despite its age, Emotet is still going strong and shows no signs of disappearing anytime soon.

hacking, cyber, blackandwhite

Is Emotet Still Relevant in 2022?

So, is Emotet malware still relevant? The answer is a resounding “yes!” In this blog post, we’ll take a look at why Emotet is such a big threat and what you can do to protect your organization from it.

Emotet Target – Your Data!

Emotet Botnet Malware was one of the most widespread threats in 2018. It caused an estimated $1 billion in damages and infected millions of devices. It has recently emerged in infected computers in a new Emotet version.

Emotet reemerged in 2019. It is now more powerful than ever, with a new ability to spread via encrypted network traffic.

Data-Stealing Malware

Emotet is primarily a data-stealing malware. It targets business and personal information that can be used for identity theft or fraud. Emotet has evolved over time and now uses a variety of methods to infect devices and steal data.

The HP Wolf Security threat research team has identified a 27-fold increase in detections resulting from Emotet malicious spam campaigns in Q1 2022, compared to Q4 2021 — when Emotet first made its reappearance.  source:

Once described by the Cybersecurity and Infrastructure Security Agency as one of the most destructive and costly malware to remediate, Emotet has bolted up 36 places to become the most common malware family detected this quarter (representing 9% of all malware captured). Source

Emotet Botnet Malware has reemerged as a major security threat to businesses and individuals alike. It can steal your data, take over your device to install additional malware, and even use it to launch further attacks on other systems.

What does an Emotet Botnet do?

If you’re not familiar with Emotet botnet, here’s a quick rundown of its capabilities:

Emotet is a type of malware known as a “trojan” or “trojan horse.” This means that it disguises itself as something harmless to trick you into installing it.

Once installed, Emotet will do its best to remain hidden on your device while it starts to wreak havoc and effectively disrupt your organization.

What Happens When Emotet Downloads?

Emotet will start by stealing any data it can find on your device, including sensitive information like passwords, user credentials, and financial data. It will then use this stolen data from one victim’s computer to try and infect other devices on your network, using them to launch even more attacks.

Emotet is also known for sending out mass spam emails that contain malicious attachments. If someone opens one of these attachments, Emotet will infect their device as well.

Your employees must be always aware to be on the lookout for suspicious attachments.

How can I protect myself from Emotet?

technology, computer, male

The best way to protect yourself from Emotet is to be aware of the threat and to take steps to prevent it from infecting your devices in the first place.

Here are some tips to help you stay safe from Emotet:

Keep your operating system and software up to date: Emotet relies on security vulnerabilities to infect devices, so it’s important to keep your systems patched and up to date.

Don’t open email attachments from unknown senders: If you receive an email with an attachment from someone you don’t know, don’t open it! Emotet uses email attachments as one of its primary infection methods.

Be careful what you click on: Emotet can also spread through malicious links in emails, social media messages, and text messages. If you’re not sure whether a link is safe, don’t click on it!

Use a reputable antivirus: A good antivirus program can detect and remove Emotet from your devices. Be sure to keep your antivirus program up to date for the best protection.

Is Emotet a Virus or Backdoor?

No, Emotet is not a virus nor a backdoor. It is a type of malware known as a “trojan” or “trojan horse.” This means that it disguises itself as something harmless to trick you into installing it.

Is Emotet a Botnet?

Yes, Emotet is a botnet. A botnet is a collection of infected devices that are controlled by a central command and used to launch attacks. Emotet is one of the most destructive botnets in use today.

What is a Botnet?

A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices, and internet of things devices, that are infected and controlled by malware. The owners of the devices may not be aware that their device is part of a botnet.

Botnets can be used to launch attacks, such as distributed denial of service (DDoS) attacks, spam campaigns, and data theft.

Why is it called Emotet?

The name “Emotet” is derived from the word “emotion.” This is fitting, as Emotet is designed to steal your data and use it to launch attacks that can emotionally affect you.

How was Emotet stopped?

On January 18, 2019, law enforcement agencies from the Netherlands, Germany, the United States, and the United Kingdom announced that they had taken down the Emotet infrastructure.

This is a major victory in the fight against Emotet, but it is important to note that Emotet malware is still out there and can infect your devices.

Why is Emotet Back?

security, internet, crime

Emotet is back because it’s a very effective and dangerous malware that can steal data and infect other devices. It’s also been upgraded over the years to make it even more difficult to detect and remove.

Cybercriminals continue to use Emotet because it’s so profitable, and we’ll likely see more of this malware in the future.

Emotet, once described as “the world’s most dangerous malware” before being taken down by a major international police operation, is back – and being installed on Windows systems infected with TrickBot malware. Source

How can I remove Emotet from my devices?

If you think your device has been infected with Emotet, it’s important to take it immediately.

The first step is to run a reputable antivirus program to scan your devices and remove the malware. Once you’ve removed the malware, you should change any passwords that may have been compromised.

If you are on a corporate network or any of your organization’s data could have been compromised, be sure to report the emotet infection to your IT security department.

If you need further help, contact us for immediate incident response help.

How can I prevent Emotet infections?

The best way to prevent Emotet infections is to practice good cyber hygiene. This includes keeping your operating system and software up to date, being careful what you click on, and using a reputable antivirus program.

You should also avoid opening email attachments from unknown senders. If you do open an attachment, be sure to scan it with your antivirus program first.

Consider zero trust

Zero trust is a security model that assumes that users and devices are both malicious and untrustworthy.

In a zero-trust model, access to resources is restricted to the smallest possible number of users and devices. This helps to prevent unauthorized access and data theft.

Many managed security services providers like Cybriant employ a zero-trust methodology. This means that we assume that all users and devices are both malicious and untrustworthy.

We restrict access to resources to the smallest possible number of users and devices. This helps to prevent unauthorized access and data theft.

If you need help securing your devices or implementing a zero-trust security model, contact Cybriant today.

How is Emotet detected?

laptop, man, facebook

Emotet botnet is detected by antivirus programs because it is a type of malware. Antivirus programs look for known malware signatures and then remove or quarantine any infected devices.

Emotet can also be detected by its behavior – for example, if it starts slowing down your device or using a lot of your bandwidth.

Be aware that antivirus only detects known malware, a next-generation antivirus service like MDR is highly recommended to keep up with the unknown aspects of emotet.

What is MDR?

MDR, or Managed Detection and Response, is a next-generation antivirus service that uses artificial intelligence and machine learning to detect and respond to threats that traditional antivirus programs can’t.

MDR provides 24/7 monitoring of your devices and networks for Emotet and other malware, and can quickly respond to any threats that are detected. This is the best way to keep your devices and data safe from Emotet and other malware.

Using AI, our MDR-focused security analysts will stop a malicious link before it can execute.

If you need help securing your devices or implementing a zero-trust security model, contact Cybriant today. We can help you choose the right MDR service for your needs and budget.

Is Emotet Russian?

No, Emotet is not Russian. Emotet is believed to have originated in Germany or Ukraine.

How does Emotet spread?

Emotet spreads through email attachments, infected websites, and other malware. It can also infect devices through USB drives and other external media.

Cybercriminals use Emotet to steal data and launch attacks, so it’s important to take immediate action if you think your device has been infected.

How do I know if I have Emotet?

If you think your device has been infected with Emotet, it’s important to take it immediately. The first step is to run a reputable antivirus program to scan your devices and remove the malware.

Once you’ve removed the malware, you should change any passwords that may have been compromised

Why is the Emotet Trojan considered a Banking Trojan?

While everyone is a target for the trojan, Emotet is considered one of the most malicious banking trojans because it is designed to steal financial information from infected devices.

Because Emotet is a powerful malware that allows cybercriminals to steal data and launch attacks, it’s critical to act right away if you believe your device has been attacked.

Emotet has attacked individuals, businesses, and government agencies in the United States and Europe to date, stealing banking logins, financial data, and even Bitcoin wallets.

Among the most serious Emotet incidents was one in the City of Allentown, Pennsylvania, which necessitated immediate assistance from Microsoft’s incident response team to clean up and reportedly cost the city upwards of $1 million to repair.

Emotet’s ability to download and distribute other banking Trojans has allowed it to target a wider range of individuals. Emotet originally targeted German bank clients. Emotet later targeted organizations in Canada, the United Kingdom, and the United States.

Emotet is a serious threat to banks and other financial institutions, and it is important to take immediate action if you think your device has been infected.

What are the symptoms of an Emotet infection?

Emotet infections can cause a number of different symptoms on infected devices. These can include slow performance, high bandwidth usage, and unexpected pop-ups or emails. If you notice any of these symptoms on your device, it is important to run a reputable antivirus program to scan for and remove the malware.


While antivirus software can help protect your computer from some malware threats, it is not enough to protect you from emotet. Managed security services can monitor your organization’s network for signs of malware and quickly take action to stop an attack. If you are concerned about the threat of emotet or other malware, consider partnering with a managed security service provider to keep your business safe.




SamSam Strikes Again

SamSam Strikes Again

SamSam, a ransomware that hackers use in targeted attacks, strikes again –  this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network.

SamSam has been busy in 2018 so far. Several medical organizations including MedStar, Hancock Health Hospital, Adams Memorial Hospital and Allscripts so far. Hackers seem to be focusing in on cities and municipalities now.

On February 22, SamSam hit the Colorado Department of Transportation computers and encrypted files. City officials shut down more than 2,000 computers while they investigated the attack.

The group behind SamSam has made over $850,000 since December 2017. 

SamSam hits City of Atlanta

March 22, 2018 – The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.

Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said “We can’t speak to that right now. We will be looking for guidance from specifically our federal partners.”

Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.

How did this happen? 

According to experts, the cause was likely a port that should not have been open. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption and asks for a Bitcoin to be sent to a Bitcoin wallet. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.

What next? 

Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:

  • Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
  • Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
  • Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
  • Have robust credentials. Weak credentials make a break-in easier and faster.
  • Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.

We would like to add a few more suggestions:

  • Check for Vulnerabilities
  • Patch, Patch, Patch
  • Train Your HUMAN firewall!

As of today, some of the City of Atlanta’s computer systems are still shut down.  The hackers are demanding $51,000 to unlock the system. City officials are still trying to determine the full extent of the attack. We haven’t heard much from the City of Atlanta, which makes it even more concerning. 

Avoid Ransomware

The #1 Threat to Your Users

The #1 Threat to Your Users

Data Breaches, Phishing, or Malware? 

According to a recent study, Google researchers identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. Using this dataset, they explored to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust.

Google’s analysis showed that only less than 7 percent of the passwords exposed in third-party data breaches were valid due to password reuse. Furthermore, the company’s data suggests that credential leaks are less likely to result in account takeover due to a decrease in password reuse rates.

Phishing: The #1 threat to your users

On the other hand, nearly a quarter of the passwords stolen via phishing attacks were valid, and Google believes phishing victims are 460 times more likely to have their accounts hacked compared to a random users. As for keyloggers, nearly 12 percent of the compromised passwords were valid, and falling victim to such malware increases the chances of account takeovers 38 times.

“Our findings were clear: enterprising hijackers are constantly searching for and can find, billions of different platforms’ usernames and passwords on black markets,” Google employees wrote in a blog post. “While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses to stay ahead of these bad actors and keep users safe.”

Thus, in this process, Google concluded that many users were following the procedure of using a single login to access different web services. And this was giving way to phishing scams having the potential to do more damage than simplifying the life of web users.

Phishing Your Users is Fun!

By now you understand that bad guys are out to get us and they are succeeding by using phishing. By phishing your users, the bad guys are bypassing your firewall, endpoint protection, and other technology-based security measures by going after your users. So, what is there to do? Have you thought of phishing your users to see who the culprits are?

Phish our employees and then work out how to get them through effective Security Awareness Training. Here are a couple of ways to determine the phish-phone percentage of your end-users:

  • Raise a temporary web server, and create your phishing site. Then create your phishing email that should lure the users to your fake site, using what you know about Social Engineering. Work out how the tracking and reporting work, and code that. Make it all look acceptable. Takes a few days of work for someone who knows what they are doing. Next, send the email to all users using a mail server that allows you to spoof the From address. Then keep track, and fend off users calling and emailing about this. Fend off your manager who is getting calls from other managers about this, despite the fact this was all announced well in advance. All this on top of my normal 60 hours per week workload? Forget that, never gonna happen.
  • Check out the guys from KnowBe4 and Cybriant. We managed the phishing, analyzing, and training of your employees. Find out more: https://www.cybriant.com/cybersecurity-awareness-training/

Phish Your Users!

The Financial Industry’s Biggest Threat

CyberAlert: Bad Rabbit

CyberAlert: Bad Rabbit

According to US-CERT:

US-CERT has received multiple reports of ransomware infections, known as Bad Rabbit, in many countries around the world. A suspected variant of Petya, Bad Rabbit is ransomware—malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

US-CERT encourages users and administrators to review US-CERT Alerts TA17-181A and TA17-132A that describe recent ransomware events. Please report ransomware incidents to the Internet Crime Complaint Center (IC3). US-CERT will provide updated information as it becomes available.

As a Cybriant managed SIEM or managed Perimeter customer, you are protected from this ransomware attack

We are continuing to investigate this malware. Please stay tuned to CyberAlert for the latest information.

Unlike other recent malware epidemics which spread through more passive means, Bad Rabbit requires a potential victim to download and execute a bogus Adobe Flash installer file, thereby infecting themselves.  An Adobe spokesperson said that the attacks, “do not utilize any legitimate Flash Player updates nor are they associated with any known Adobe product vulnerabilities.”

BadRabbit demands users pay .05 bitcoins, or about $286, to have their files decrypted. But with its link to NotPetya’s fake ransomware, whether that payment actually gets results is so far unclear, according to WIRED.

What to do?

  • Make sure that all protection mechanisms are activated as recommended
  • Update your antivirus databases immediately
  • Make sure your employees are aware of this threat
  • Initiate a conversation with Cybriant for managed SIEM and Perimeter protection

Not sure where to start?

Verizon: “Most Breaches Trace to Phishing, Social Engineering

Verizon: “Most Breaches Trace to Phishing, Social Engineering

Breaches Trace to Phishing, Social Engineering. BankInfoSecurity wrote: “90% of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they’re legitimate users.”

“Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in,” says Chris Novak, director of global investigative response for Verizon, in a discussion about the company’s latest Data Breach Digest, a companion report to the company’s annual Data Breach Investigations report (see Verizon’s Latest Breach Report: Same Attacks, More Damage).

In an audio interview with Information Security Media Group at the recent RSA Conference 2017 (see link below illustration), Novak discusses:

  • Nitty-gritty details of what organizations go through when they suffer a breach;
  • Organizations’ ongoing inability to know where their top assets are and on which systems that data gets stored, especially after merger and acquisition activity;
  • The move by even non-European organizations to comply with the EU’s General Data Protection Regulation.

Novak is a co-founder and the director of the Verizon Investigative Response Unit – a division of the Verizon RISK Team. He’s also worked as a principal for Cybertrust and a senior security consultant for Ubizen.” We recommend you listen to the 10-minute interview here:


If you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what the phish-prone percentage of your users is.

Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.



Scam Of The Week: Mystery Shopper Scam Email