The Damage and Cases of “Emotet”, Which Is Now Rampant

Emotet is a type of malware (computer virus) that has been rapidly spreading in 2022. Since it was detected as a cybercrime attack based in Russia in 2014, various variants have appeared, and in 2019 and 2020, it became a global epidemic, causing a great deal of damage to individuals, companies, and public institutions. Signs of a resurgence have appeared since the end of 2021, and reports of damage are increasing in Japan.

This article explains Emotet’s basic attack methods, scope of damage, and infection routes, and introduces specific cases of damage. We hope that it will deepen your understanding of Emotet and help you take countermeasures.

Emotet’s Basic Mechanism
1. Infection Route to Emotet
2. Emotet’s Attack Methods, Main Damage Cases
Emotet’s Specific Damage Cases
1. Improve the Literacy of Persons in Charge and Employees
2. Consider Operation Management and Maintenance
3. Strengthen Server Authentication
How to Escape the Threat of Emotet
Summary

1. Emotet’s Basic Mechanism

Here, we will introduce how Emotet invades and what kind of damage and risks occur if infected.

Since this is just an introduction to a standard pattern, there may be different approaches in variants, but we hope that you will first understand the basic information.

1-1. Infection Route to Emotet

Emotet infection is caused by malicious attachments in emails. It infects by malicious macros embedded in Microsoft Word or Excel, or by disguising as a zip file and executing malicious code when unzipped. In some cases, instead of attachments, users are directed to access URLs written in the email body, SNS, web bulletin boards, etc., and infected by malicious code embedded on the website.

Malicious emails target an unspecified number of people, originating from spam emails from overseas or phishing emails disguised as being from banks or online stores.

In addition, in some cases, a PC infected with Emotet uses the address book and contacts registered on the PC to make it look like an email or attachment from a trusted person, and infects the recipient, who is off guard.

Furthermore, as a new method that has occurred since around April 2022, there is also a case of attaching a Windows link file (.lnk) to an email attachment. Link files are simple text files that have no effect on operating systems other than Windows, but since Windows tries to access the link destination without any warning, strict attention must be paid to this method.

<Emotet Infection Route>

Malicious email attachments (Word, Excel macros, lnk files)
Inside zip files attached to emails
Accessing malicious websites from URL links (emails, SNS, web bulletin boards, etc.)

1-2. Emotet’s Attack Methods, Main Damage Cases

We will explain the specific damage and impact when infected with Emotet.

① Transmission to other devices (worm)

The PC initially infected with Emotet has a worm function that infects other devices on the network in the same way.

This is a common attack method for malware, not just Emotet, but it is further combined with the Emotet attack methods introduced below, making the damage even more serious for companies and organizations that own many computers within the same network.

② Send impersonation emails

One of the typical nuisance acts when infected with Emotet is to send suspicious emails that spread Emotet.

The impersonation email itself has many points that you can notice as suspicious if you pay attention, such as “the title and content are almost non-existent,” “the Japanese is unnatural,” and “the email address is different from the original.” However, since the sender’s name is often known to the recipient, it seems that there are quite a few cases where they are careless and open the attached file or access the URL link, and contribute to the transmission of Emotet.

③ Create security holes to make it easier for other malware to enter

When infected with Emotet, security holes are created, allowing malware that should normally be blocked to enter.

For example, it may be possible to make it difficult to detect by residing in memory (RAM) instead of files stored on the disk, or to perform privilege escalation using malware or vulnerabilities on Emotet-infected devices.

④ Information eavesdropping and exploitation

There is a function to steal information from terminals infected with Emotet and transmit it to the outside.

This itself does not cause specific damage or attacks, but the information exploited and eavesdropped here is used to trigger even more powerful malware such as ransomware, or to break passwords, leading to actual damage.

⑤ Download malicious files

Terminals infected with Emotet have a mechanism to download malicious files that perform actual attacks by connecting to an external server prepared by the attacker.

The actual damage is discovered by the attack caused by the malicious file, but Emotet may be the method by which the malicious file enters in the first place. In addition, by allowing attackers to activate Emotet with a time difference, it is possible to make it difficult to investigate when and from which route the infection occurred.

As described above, Emotet’s characteristics are that “damage is likely to spread due to infection of the organization’s network,” “Emotet itself does not directly attack, so delays in detection and difficulty in investigation occur,” and “there is a high possibility that very serious attacks and damage will occur after Emotet infection,” which is more serious than conventional malware. It is a very troublesome malware that makes you understand why even famous companies that should have taken thorough security measures suffer great damage.

2. Specific Examples of Emotet Damage

Here, we will describe specific cases where Emotet has caused damage. Of course, Emotet damage is not limited to what is described here, and many cases have occurred. Infection with Emotet does not necessarily lead to such damage, but by correctly knowing how terrible Emotet is and how much damage it can cause, we believe that all companies and organizations should take appropriate measures against Emotet.

2-1. Main Examples of Emotet Damage in Japan

As an example of nuisance behavior caused by Emotet infection, there is the “impersonation email” mentioned earlier. It is easy to imagine that in companies with a large organizational scale or a large number of employees, inquiries regarding impersonation emails are occurring one after another. Therefore, due to Emotet infection, press releases are being made to warn about impersonation emails to related parties.

<Examples of companies that are calling attention to suspicious emails due to Emotet infection>

Sekisui House Co., Ltd.
Lion Corporation
Kinokuniya Bookstore Co., Ltd.
Mynavi Corporation

Some companies have suffered specific damage other than impersonation emails. Here are some publicly available examples.

<Examples of companies that have suffered specific damage due to Emotet infection>

In-Plus Co., Ltd. (February 2022)

Due to Emotet infection, email addresses and names (personal information) and subject data of people inside and outside the company were leaked. Suspicious emails and impersonation emails containing attached ZIP files that abused this were confirmed.

Nippon Telegraph and Telephone West Corporation (NTT West) (March 2022)

Due to Emotet infection, the email addresses and email information of a university and university corporation in Aichi Prefecture, which is a business partner, were leaked. Suspicious emails due to this were reported.

Fukushima Galilei Co., Ltd. (March 2022)

An employee’s terminal was infected with Emotet, and the email addresses stored on the email server were leaked, and the attacker abused this to send suspicious emails to multiple related parties.

Futaba Denshi Kogyo Co., Ltd. (February 2022)

One of the Thai subsidiaries was infected with Emotet, and email addresses were exploited. The infected PC was immediately disconnected, and all PCs were checked for malware to confirm that there were no infections on other terminals.

2-2. Main Examples of Emotet Damage Overseas

Many companies in Japan are affected by Emotet, but more serious cases have been reported overseas. Emotet’s main infection route is email, but in Japan, it is relatively easy to notice because the localization (translation of the text) of the Japanese language is not appropriate, or the content does not match Japan’s unique email culture.

However, overseas, especially in English-speaking countries, email exchanges are more casual than in Japan, and it is likely that there are many cases where it is difficult to notice because the text is almost the same as normal exchanges.

Also, the nature of the attack has changed from the initial type around 2014.

In the past, the method was to mainly target financial institutions and steal account information through information exploitation via Emotet to gain profits, but now it has become a model that makes it easier to be infected with other malware originating from Emotet infection and spreads it.

This is due to the fact that measures against the initial Emotet attack method have been established to some extent, and the security of financial institutions in particular has become very strict, so Emotet (and attackers who abuse Emotet) have made updates.

The following describes some of the Emotet cases that have had a particularly large impact overseas.

KraussMaffei (December 2018)

KraussMaffei, a German heavy machinery manufacturer, was infected with a variant of Emotet that also serves as ransomware (file encryption that demands a ransom), causing many of the factory’s computers to stop, making it impossible to control machine production and assembly.

Huelstenfeld Brook Hospital (November 2018)

As a result of infection with Emotet at Huelstenfeld Brook Hospital in Bavaria, Germany, electronic medical records could not be operated properly for one week, forcing the system to be shut down. Temporarily, the hospital was removed from the Integrated Rescue Control Center (the so-called emergency transport hospital), and emergency patients were switched to acceptance at another hospital. It is said that important treatment systems at the hospital were separated from the Internet and the Emotet-infected network, so the damage did not extend to human life.

North Carolina School District (2017)

A large-scale Emotet damage occurred in the school district of North Carolina, USA, and school computers were damaged (the specific damage is undisclosed), and it is said that operations were stopped for two weeks. The loss is said to be $1.4 million (approximately 150 million yen at the time), and it is also introduced on the US public relations page as a typical Emotet actual damage in the United States.

2-3. Spread of Emotet Infection (2022)

Emotet reached its peak of infection around 2020, causing a lot of damage and impact, but in January 2021, the “takedown (neutralization)” of Emotet was successful due to an international joint operation by law enforcement agencies and judicial authorities of eight European and American countries, including the European Criminal Police Organization.

As a result, Emotet’s activity has been confirmed to have subsided rapidly in Japan.

However, Emotet’s activity has been confirmed again since the end of 2021, and infection is particularly prominent in Japan, and in March 2022, infection and damage reports reached about five times the number during the past epidemic.

Around February 2022, Russia’s invasion of Ukraine began. Although the direct factual relationship between this Russian invasion and the Emotet resurgence is not clear, Emotet itself is originally malware from Russia, and cyberattacks have been active in countries around the world at the same time as this invasion. It can be said that the situation is not completely unrelated.

Regarding why Emotet is spreading so remarkably in Japan, an accurate investigation has not yet been conducted, but the increased accuracy of fake emails can be said to be one of the reasons for Emotet’s main infection route. For example, in the past, there were easy-to-notice points such as clearly unnatural Japanese, content that did not match the Japanese email culture, and addresses that were clearly different, but the accuracy of localization into Japanese has increased, and the content is so sophisticated that it cannot be distinguished at a glance, making it possible to spread the effect to Japan, where there was not as much caution as in English-speaking countries.

3. How to Escape the Threat of Emotet

Emotet is a very high-threat malware that is different from past malware, and all companies that connect to the Internet must be wary of it.

However, as mentioned earlier, Emotet itself does not carry out specific attacks or destruction activities, but cleverly hides its appearance, exploits information, and promotes the activity of more powerful malware, which is a very troublesome property. Security system measures are of course necessary, but if the final human judgment is wrong, it is difficult to 100% prevent infection, no matter how advanced the measures are.

Emotet infects through malicious attachments in emails and links to websites that distribute illegal tools. Therefore, handling emails and avoiding dangerous sites is the first step and the greatest defense against Emotet. Those who are involved in work that uses the Internet should thoroughly implement the following precautions.

Discard suspicious emails without opening them, and use spam filters
Do not open unsolicited attachments, even from known individuals
Disable the macro function of Microsoft Office. If the macro function is required, do not receive Office files with macros (.docm, .xlsm) attached to emails.
Do not receive Office files in Office 2007 or earlier format (.doc, .xls) attached to emails.
Do not access unknown URLs written in emails, etc. without permission

Summary

We have summarized the specific impacts and damage cases of Emotet, and the latest situation (as of May 2022 when this article was written).

Emotet infection is still spreading at the time of writing this article. Emotet infection is likely to cause unknown damage to your organization, and sending spam to external parties raises concerns about the impact on various aspects. It is urgent to thoroughly inform companies and organizations to be careful of suspicious emails, attachments, and URLs in order to avoid infection.

Please contact globalsupport@jiran.com for inquiries.