Financial Services Malware Just Won’t Die. What to Do About It.

Emotet, described as among the most dangerous types of malware for financial services organizations, has returned.

Laptop security

“Emotet has been one of the most professional and long-lasting cybercrime services out there,” according to Europol. It was thought the malware, first discovered in 2014, had been vanquished by law enforcement agencies from eight countries in January 2021. However, it reportedly resurfaced this past November.

Emotet typically spreads via phishing spam emails. It launches its service once a user clicks a link that opens a macro-enabled attachment. Viewed as the most dangerous malware in existence, Emotet is the most-often reported malware by financial organizations. The FBI, which participated in the coordinated takedown of Emotet infrastructure, identified more than 45,000 computers and networks in the U.S. that had been affected by the malware.

Emotet is particularly evasive and hard to detect because it’s able to cover its tracks, blending in to general email communications by using reconnaissance methodologies. More specifically, the trojan is capable of accessing old email messages in a victim’s inbox and by replying to them, adding itself to an existing email conversation. Purporting to be a legitimate correspondent, it then sends along a malicious attachment. This, rather than inflicting damage on a victim’s device, primarily functions as a downloader or dropper of other malware code. According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA): “Emotet is a polymorphic banking trojan that can evade typical signature-based detection.”

Crimeware for the asking

Emotet is an early example of malware-as-a-service—basically a loader for hire, which cyberattackers could rent to deliver their own malware. Dubbed the triple threat by many in security, it has been used to deliver the TrickBot malware, which in turn has been used to unleash Ryuk attacks that reportedly accounted for one-third of all ransomware attacks in 2020.

This demonstrates the organized crime characteristics of cyberattacks. Cybercriminals represent an underground ecosystem that connects individual malevolent actors with sophisticated criminal syndicates operating networks of infected computers—or botnets—that can be controlled from a centralized computer to deploy attacks.

Education that advises end users to avoid clicking these baited links can only go so far in deterring attacks. Security experts say there is no realistic way to ensure that all enterprise systems are fully secure. When one system is infected, malware quickly tries to move laterally through the network to find more targets of opportunity.

Focus on the organization’s crown jewels

Financial services organizations must focus their security efforts on protecting their “crown jewels”—their most sensitive, mission-critical data—and deterring lateral migration of malware.

“A best practice here is a mix of  identifying and blocking dangerous domains, while safely connecting users and devices to the internet with a secure web gateway, while at the same time making sure possible infections cannot spread inside your core network,” says Gerhard Giese, Industry Strategist with Akamai. “Financial services institutions should incorporate a zero trust approach of ‘never trust, always verify,’ coupled with real-time threat intelligence.”

Akamai helps organizations improve data protection and security with solutions including:

  • Enterprise Threat Protector, which proactively identifies, blocks and mitigates targeted threats such as malware and phishing.
  • Zero Trust Network Access including threat intelligence, a cloud-delivered, identity-aware, high-performance service for secure application access without the need for users to gain access to the network.
  • Kona Site Defender, a cloud-based web application firewall with constantly updated application-layer firewall protections.
  • Lateral movement is critical to the success of a ransomware attack. With Guardicore’s microsegmentation technology—now part of Akamai’s Zero Trust security solutions—you can easily set up control policies to detect breaches and stop the spread of ransomware before attackers can gain access to your infrastructure and applications.

The resurgence of Emotet is testimony to how cyberattackers continue to evolve tried-and-true malware, while also developing new threats. It takes coordinated industry threat intelligence, advanced technology solutions, and human analysis to keep organizations evolving their defenses at the same pace. Learn how we help them.


Copyright © 2022 IDG Communications, Inc.