In January, an international group of law-enforcement agencies took down Emotet, the world’s top malware. Authorities took over its command-and-control servers and installed a kill switch that will automatically uninstall the malware on April 25.
This is good news. Emotet infections can cost up to $1 million per incident to remediate, according to the US Cybersecurity and Infrastructure Security Agency. But it doesn’t mean data center security managers can sit back, relax, and let the kill switch do its work.
Once it embeds itself in a system, Emotet becomes a vector for additional infections. It opens doors on an enterprise network for other malware to walk through. It’s also a worm, so it will try to spread as far and wide as it can.
Now, while the command-and-control servers are down, is the perfect time for security teams to conduct full forensics sweeps, identify any instances of the malware in their systems, trace and shutdown the pathway it used to get into the systems, and track what else it installed and where else it managed to spread.
“After the 25th [of April] you won’t have the evidence that Emotet was there,” Etay Maor, cybersecurity professor at Boston College and senior director of security strategy at Cato, told DCK. “But you might still be exposed because there might be other malware in your systems.”
What Is Emotet?
Emotet first popped up in 2014, when it was just a simple banking trojan. But it grew and evolved, becoming a key part of the “malware-as-a-service” ecosystem. Major cybercriminal groups piggybacked on the Emotet botnet infrastructure to spread their own malware, including ransomware.
“It brought in all its friends,” said Maor. “Whoever paid for the malware-as-a-service was able to get their malware on millions of devices.”
Emotet was also particularly good at evading defenses, including sandboxes. And, it was polymorphic. It changed automatically and constantly, evading signature-based antivirus defenses.
That’s not to say that antivirus software or sandboxes are…