Emotet: Next-generation cybercrime

2021-12-14 How does the malware work, what consequences can it have and what can university members do against an attack? Christian Wagner, Media and Information Centre, clarifies.

In light of current events, we would like to warn of a renewed threat to our IT infrastructure posed by the encryption Trojan Emotet, the MIZ stated in a security warning some time ago. With spam emails, which often seem harmless and sometimes imitate the language use of normal mails well, criminal networks try to interfere with the digital infrastructure of companies and institutions - and this can have dire consequences.

Christian Wagner works for the Media and Information Centre in the IT Infrastructure department at Leuphana University. In addition to being responsible for Leuphana's central storage systems and for issuing digital certificates that serve to identify identities, the engineer is also in charge of "intrusion detection and prevention". This involves detecting and evaluating intrusion attempts on the local digital infrastructure. "In this context, for example, we check for attack attempts, determine their nature and the prevailing threat situation," Wagner explains. If something is discovered during the analysis, for example malware that was loaded onto a computer through a spam email, Christian Wagner ensures that further measures are initiated. For example, the IT service removes affected computers from the system and sets them up again.

A possible threat to the IT infrastructure is currently again emanating from the Emotet computer virus. However, the malware is not new: Emotet has had a long development that has taken on ever greater dimensions in recent years. At the beginning in 2014, the software was used by its criminal developers to hack into the online banking of private individuals. Later, Emotet became an extortion Trojan that encrypted the data of individual users in order to extort a ransom for the release. "Those were the early days, when the attacks still affected individuals." There was a turnaround in 2018: Individual users were no longer the target of cyberattacks. The criminal network behind Emotet began to penetrate the computer systems of companies. According to Wagner, this is "next-generation cybercrime". Various criminal networks, most notably Emotet, began adapting sophisticated techniques used by both spies and state actors to penetrate and manipulate the networks and systems of large companies.

"The first step is always to penetrate the infrastructure," Wagner explains the modus operandi of an Emotet attack. This is done, for example, through a phishing email with malicious attachments that load malware onto the computer when the files are opened. Once the intrusion is successful, the perpetrators analyse the infrastructure in order to subsequently detect important backups - which can later be used for blackmail if necessary - and other possible security gaps. The virus then spreads throughout the network, gathering information on its scope, functionality and potential. "The intruders thus know exactly how high they can ultimately set their ransom demand." Once the network has been comprehensively tapped, the ransom demand is made. The blackmailers usually do not negotiate, and threaten, for example, to publish or destroy company data.

"This development is frightening," says Wagner. Once the network of operators behind Emotet has found a way into the system, they can read every email, find out access data and thus spread further and further into the IT infrastructure. Wagner is certain that the issue will become even more important in the future. "The procedure is lucrative, the companies pay the ransom, which is usually running into millions. And as long as this is the case, such attacks will continue." The bottom line, he says, is that every company and institution, unfortunately, has to assume that they themselves will be hit at some point.

"A lot of hacking attacks happen around Christmas". This is when the majority of administrators are on holiday and systems are less closely monitored. In the worst case, a cyber attack could shut down the university's entire digital infrastructure. Some German universities have already fallen victim to hackers, and it can take weeks or even months to rebuild the systems and restore the files.

For this reason, according to Wagner, it is all the more important to educate employees about the dangers and consequences, and to promote a conscious and attentive view: "The question then is: How is the awareness in the company? How well prepared are they?"

This includes, above all, taking a closer look at incoming e-mails: Is an email expected from the sender at all? Are the attachments and links coherent? Is the language conspicuous? If in doubt, it is a good idea to call the sender to find out whether they have actually sent an e-mail. And what if a link from the e-mail that you have already clicked on seems suspicious? "Then switch off the computer immediately and call the IT service," says Christian Wagner. For most software users, the topic of IT security is usually difficult to grasp. This is why, according to Wagner, awareness training courses are going to be offered in the near future, to prevent the intrusion of malware and to create a better understanding of cyber security.


  • Dipl.-Ing. (FH) Christian Wagner