Emotet: the dangerous infection you may not know you have

By December 20, 2018 No Comments

You may not have heard about it, but Emotet malware is set to become a major threat in 2019. Here’s what you need to know to help defend yourself.

Though you may not recognise the name but the Emotet malware is poised to become a major factor in your cybersecurity life. It may have started as a banking Trojan (focused primarily on stealing login credentials and hijacking online banking), but has stepped up its game and now steals your emails as well. The worrying thing is you may not even realize you have been infected.

Our sister company Kryptos Logic is able to track occurrences of malware over the Internet, by watching the command and control systems that an infection looks to for instructions. It has found that although Emotet is a global threat, most infections at the moment are in the United States. There are over 44,000 unique IP addresses that have been compromised with Emotet and 2500+ US organizations have the malware and probably don’t even know it.

The fact that Emotet is including email exfiltration now shows that this malware can include any number of payloads including ransomware and advanced persistent threats (APT) where a hacker is actively poking around in your network. We expect to see more aggressive and selective attacks in 2019 – the bad news is that “selective” doesn’t mean “big companies” anymore.

How does it work?

There are a number of attack vectors (ways of starting the process) but with Emotet it always contains the use of an attachment with macros. Those macros are the killer… and the weak point in Emotet.

We are a small company. Aren’t we under the radar?

No! Smaller companies are most attractive to Emotet because:

  • They often don’t have trained cybersecurity professionals dedicated to defense so it’s easier to snoop longer and remain undetected
  • Often smaller companies don’t have the tools to defend their network properly
  • They often don’t have policies in place that double-check financial transactions
  • More often than not, they pay the ransom because they don’t have reliable backup solutions

But…wont my Antivirus (AV) protect me?

There is an interesting website called It is basically a firing range for malware. It checks malware against most of the antivirus products out there. It’s an unbiased evaluation and you may be surprised by what it reports.

In short, the majority of AV solutions are far behind the curve. The use of machine learning does help but most AV products out there don’t yet use this level of technology. In short, it’s very unlikely your antivirus will be a reliable defense.

What can I do?

If you’re concerned enough to want to do something, here are some actions you can take:

  • Disable macros in all office documents. Unless you NEED them in your work (and most companies don’t) then you should disable them. I suggest defining a GPO (Group Policy Object) in Active Directory that disables them for the entire company.
  • Disable Powershell if you don’t use it.
  • Utilize a good SPAM filter service. Google has one but there are others
  • Upgrade to a good “Next Generation Antivirus”

If all the options above confused you, bring in a security consultant to help. There are a lot out there and they can be expensive but the good ones are certainly worth the money.

How do I know if I’ve been infected?

The longer an Emotet infection lingers, the more likely it will be to be abused. This means that the more time they have “watching” you, the better their attack will be. I suggest subscribing to a sinkhole data service. It watches and collects data on all the computers talking to the command and control servers on the internet – is a great free notification service that will tell you if one of your IP addresses is talking to a command server.

You can find out even more about how Emotet works here: