25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CISA Issues Warning About Increase in Emotet Malware Attacks

Posted By on Jan 23, 2020

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks.

Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan.

In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands that download the malware. If the email attachment is opened and content is enabled, Emotet will be silently downloaded and executed. Spam emails containing hyperlinks to malicious websites have also been used to deliver the malware.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Emotet malware is persistent. It inserts itself into running processes and creates registry entries to ensure it is run each time the computer boots. Once a victim’s computer has been infected it is added to the Emotet botnet. The computer will then be used to distribute copies of Emotet to the victim’s contacts via email. According to SecureWorks, Emotet steals the first 8KB of all emails in the inbox. That data is used to craft new messages to contacts containing real message threads and replies are sent to unread messages in the inbox. This tactic increases the likelihood of the recipient opening the message and file attachment. Campaigns have also been detected using email attachments that imitate receipts, shipping notifications, invoices, and remittance notices.

In addition to propagation via email, Emotet enumerates network resources and writes itself to shared drives. It also brute forces domain credentials. If Emotet is detected on one computer, it is probable that several others are also infected. Removing Emotet can be problematic as cleaned devices are likely to be reinfected by other infected computers on the network.

The Emotet botnet was inactive for around 4 months from May 2019 but sprung back to life in September. Emotet activity suddenly stopped again in late December and remained quiet until January 13, 2020 when massive spamming campaigns resumed. Proofpoint detected one spam campaign targeting pharma companies that saw around 750,000 emails sent in a single day.

“If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” warns CISA in its January 22, 2020 alert.

CISA suggests the following steps should be taken to reduce the risk of an Emotet malware attack:

  • Block email attachments that are often associated with malware (.exe, .dll, .js etc.)
  • Block email attachments that cannot be scanned by anti-virus software (e.g. .zip, .rar files)
  • Implement Group Policy Object and firewall rules.
  • Ensure anti-virus software is installed on all endpoints
  • Ensure patches are applied promptly and a formalized patch management process is adopted
  • Implement filters at the email gateway
  • Block suspicious IP addresses at the firewall
  • Restrict the use of admin credentials and adhere to the principle of least privilege
  • Implement DMARC
  • Segment and segregate networks
  • Limit unnecessary lateral communications

Detailed CISA guidance on blocking Emotet and remediating attacks can be found on this link.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist