Emotet continues on its return-to-activities tour, with a survey pointing to Brazil as the fourth country most infected by malware. The pest, capable of opening the door to criminals and facilitating ransomware attacks, among others, has been registering a gradual increase in its activities after spending the whole year, practically, gone, after an international police operation destroyed the infrastructure that was once used for distribution.

The data comes from Check Point and comes from another point, the Trickbot, a Trojan that has been used by criminals to deliver new Emotet samples to compromised computers. Since November, there are 140,000 victims infected by the plague, which reached users in 149 countries and, now, has contributed to a consistent growth of Emotet also during the period, which became the seventh most popular malware in the world in just two weeks.

Portugal is the most affected by contamination with the Trojan Horse, with 18% of them, followed by the United States, with 14%. India appears in fourth place, with 5%, and is followed by Brazil (4%), with Turkey (3%) completing the top 5. High-profile sectors, such as government and military institutions, account for almost a fifth of contaminations , with 18%; banks and finance (11%), industry (9%) and health (7%) come next.

Consistent growth in Trickbot infections is pointed out as the gateway to a new wave of ransomware via Emotet (Image: Disclosure/Check Point)

The distribution shows a focus on countries with a strong presence of multinationals and companies of interest to criminals in launching ransomware attacks. The vector of the infection are contaminated files, in ZIP format or from the Office package, which are downloaded after successful phishing attempts and open the doors, from the Trickbot, to contamination by Emotet and different pests, according to the wishes of each bad guy from the compromised networks he has in his hands.

bitter return

In the view of Lotem Finkelstein, Check Point’s director of threat intelligence, the resurgence of Emotet is a wake-up call for the wave of ransomware attacks that is expected to occur in early 2022. “[A praga] formed the strongest botnet in cybercrime history. Now, it has resold its infection base for distribution by other criminals, mostly ransomware groups”, he comments.

In the expert’s view, it is necessary that analysts and administrators treat contamination by Emotet as if they were digital hijacking attacks, even if they have not yet been triggered. Otherwise, it’s just a matter of time, while monitoring tools and indicators of compromise can be used for detection and mitigation before launching offensives.

All of this comes after an international offensive, organized by authorities from eight countries with Europol, brought down Emotet’s global infrastructure. The malware, which spent all of 2020 at the top of the most dangerous list, was successfully shut down in January of this year, with the infected machines being linked to authorities’ networks and notified by experts. It took a while, but apparently the danger is back and it could get stronger this time.

Training on the dangers of phishing and security best practices is also important to ensure that employees, particularly those working from home from unsecured machines, do not serve as an input vector. Threat intelligence, management and update enforcement systems also help identify warning signs and make it harder for criminals to deploy pests.