How Frankfurt Stopped Emotet In Its Tracks

By on Jan 15, 2020

During a time when ransomware continues to bring governments around the world to a halt, one city has turned the tables, by bringing their government to a halt pre-emptively to prevent ransomware.

According to ZDNet, in late December, Frankfurt, Germany—one of the world’s biggest financial hubs—reportedly shut down its IT network after its anti-malware platform identified an Emotet infection. The reported malware gained entry when an employee clicked on a malicious email that had been spoofed to look as though it came from a city authority.

Rather than risk further spread and subsequent, more damaging infection, government authorities made the difficult decision to halt the IT network until the Emotet threat was resolved. In so doing, all of the city’s IT functions were shut down for over 24 hours—including employee email, essential apps, and all services offered through the webpage. The move paid off, however—as IT department spokesman Gunter Marr told Journal Frankfurt, no lasting damage had occurred.

“In my opinion, Frankfurt made a very brave—probably not easy—decision to shut down the network to eradicate their Emotet infection,” said John Fokker, Head of Cyber Investigations for McAfee Advanced Threat Research. “Emotet infection is a precursor to Ryuk ransomware, so I think they dodged the proverbial bullet.”

The Emotet-Ransomware Connection

In many cases, the first sign of ransomware is the ransom demand itself, alerting you that you’ve been infected and asking you to pay up. The Emotet malware works a bit differently in that it is not, in itself, ransomware. Instead, it functions like the key to a door: Emotet infects the system, and once the system is “open,” access to the Emotet-infected network can be sold to ransomware groups and other cybercriminals, who may then utilize stolen credentials and simply “walk in.” In a recent campaign, once Emotet was downloaded, it in turn downloaded the Trickbot trojan from a remote host, which stole credentials and enabled a successful Ryuk ransomware infection.

However, the same multistep process that can deliver two paydays on a single deployment of ransomware is also its Achilles’ Heel. Since getting ransomware from an Emotet infection is generally a two or more-step process, if you can stop or eliminate Emotet at Step 1, the subsequent steps toward a ransomware infection cannot occur.

While Frankfurt’s Emotet infection and the subsequent shutdown led to more than a day’s loss in productivity, massive outages and major disruption, the city should be commended on its quick and level-headed response—had they attempted to preserve business operations or opted to take a wait-and-see approach, a potential ransomware infection could have cost them millions more in lost productivity and threat mitigation.

An Ounce of Prevention …

While Frankfurt was able to intercept the Emotet botnet in time, many others were not—another attack several days before, in a town just north of Frankfurt, resulted in massive disruption when the Emotet malware led to the successful deployment of Ryuk ransomware. In other words, the best and safest way to avoid a similar fate is to prevent an Emotet infection in the first place.

There are several steps you can take to keep Emotet from establishing a stronghold in your network:

  1. Educate Your Employees: The most important step is to educate your employees on how to identify phishing and social engineering attempts. Identify email security best practices, such as hovering over a link to identify the actual destination before clicking on a link, never giving account information over email, and mandating that all suspicious emails be immediately reported.
  2. Patch Vulnerabilities: The Trickbot trojan is frequently delivered as a secondary payload to Emotet. It depends on the Microsoft Windows EternalBlue vulnerability—patching this vulnerability is an important step to securing your network.
  3. Strengthen Your Logins: If Emotet does gain entrance, it can attempt to spread by guessing the login credentials of connected users. By mandating strong passwords and two-factor authentication, you can help limit the spread.
  4. Adopt Strong Anti-Malware Protection, And Ensure It’s Configured Properly: A timely alert from a capable anti-malware system enabled Frankfurt to stop Emotet. Adopting strong endpoint protection such as McAfee Endpoint Security (ENS) is one of the most important steps you can take to help prevent Emotet and other malware. Once it’s in place, you can maximize your protection by performing periodic maintenance and optimizing configurations.

Above all, don’t fall into the trap of thinking it couldn’t happen to you. According to the McAfee Labs Threats Report, ransomware grew by 118% in just the first quarter of 2019, and several new ransomware families were detected. If the spate of recent attacks is any indication, we may see similar trends in Q1 2020.

“The demand for access to large corporate or public sector networks is very high at the moment,” Fokker explained “Ransomware actors are constantly scanning, spearphishing, purchasing access gained from other malware infections, and obtaining log files from info-stealing malware to get a foothold into networks.”

“Every company or institution should be diligent and not ignore even the simplest breach—even if it happened more than a year ago,” Fokker said.




About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Categories: McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs