• United States




What is Emotet? And how to guard against this persistent Trojan malware

Apr 12, 20195 mins
MalwareNetwork SecurityPhishing

The Emotet Trojan is one of the biggest malware threats in recent years. Here's what you can do to safeguard your business.

trojan horse virus
Credit: Thinkstock

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here’s a look at what you can do to safeguard your business against this pernicious Trojan malware.

How does Emotet infect networks?

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it. Here are a few ways to do exactly that.

How to prevent infection by the Emotet Trojan

As is so often the case, prevention is better than cure. This concept can be applied in several ways.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

If you scan your network, then patch any unsecured machines and ensure everything has the latest endpoint protection, then you can dramatically reduce the risk of infection. This will stand you in good stead against a myriad of threats, not just Emotet.

You should also consider the human element. Since infections begin with people, consider how to combat mobile phishing attacks and put a comprehensive security awareness training program in place. If you can stop an employee from opening that file or clicking that link in the first place, then Emotet will struggle to find a foothold on your network.

Because Emotet is constantly evolving, it’s vital to have the latest anti-malware tools and carefully consider your approach to endpoint detection and response. To combat a foe that’s constantly evolving, you want your defenses to do the same. Deep learning can be a valuable tool in the fight against malware like this.

How to stop Emotet from spreading

Perhaps the most unpleasant thing about Emotet is that it acts as a gateway for various Trojans and other malware. The banking Trojan and worm TrickBot is a common companion. Each of these malware threats has its own methods for self-propagation and targets different vulnerabilities. Perhaps the most effective action you can take in battling Emotet and everything that can come along with it, is to focus on patching known vulnerabilities.

This is a familiar piece of advice for any cybersecurity professional, but there’s a reason for that – many successful attacks today are the result of known vulnerabilities that should have been remediated. Known vulnerabilities are the low-hanging fruit, and failure to address them could lead to an explosion of malware across your network following a successful Emotet penetration. This straightforward, practical step is an essential one for anyone who is serious about their network security.

When you’ve dealt with the basics, you need to delve into best practices to build up a sophisticated, multi-layered set of defenses capable of repelling malware like Emotet. Consider the NIST Cybersecurity Framework, look into ISO 27001, and immerse yourself in the cybersecurity community in order to keep up with the latest developments in the fight against malware. This is a fast-paced area where you face an enemy that’s constantly evolving and probing for weaknesses, so it requires an untiring, relentless effort to keep it at bay.

Sadly, even if you do everything right, there’s a risk that you may suffer a successful Emotet attack and this Trojan is adept at re-infecting machines, even after you’ve cleaned them. That’s why you should also prepare a proper, robust incident response plan that delineates precisely how to deal with such an attack. With proper preparation and forethought, you can ensure your business bounces back as quickly and painlessly as possible.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author