Emotet might be gone – but malware is here to stay

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

There were sighs of relief across the cybersecurity industry when the Emotet banking Trojans were officially taken down in January. Having affected over 47,000 computers and been responsible for at least 45% of phishing emails, this meant security and computer safety were at less risk of being exposed to security attacks.

About the author

Kelvin Murray is a Senior Threat researcher with Carbonite and Webroot.

Unfortunately, this comfort only lasted a short while as an increased volume of new malware soon appeared, attempting to fill the void left behind. Over the past few months, we’ve seen the likes of Dridex, TrickBot and IcedID all trying out new botnet email phishing campaigns. In a world where the last year’s sudden transition to remote working has created numerous IT challenges for businesses, cybersecurity has never been more important.

The cybercriminal groups implementing the Emotet attacks were not arrested, meaning they are likely to come back in full force with fresh rebrands and a strong vendetta. All things considered, the current threat landscape means that businesses simply can’t afford to relax their cybersecurity posture. To protect themselves, businesses need to ensure the gaps in their cyber protection are closed enough to ensure resilience across their entire systems. In this piece, I’ll explore several ways they can achieve that.

The importance of a strong backup and disaster recovery plan

Businesses shouldn’t experience an attack before putting strategic defensive measures in place. In the case of ransomware attacks, the best prepared businesses are those that can refuse paying a ransom because they are able to recover stolen data.

The best way to be able to recover data is to back it up. But deploying backup isn’t the only defensive measure businesses should consider.

A meaningful security posture starts with preventative security measures and an in-depth defensive data protection and recovery strategy. This involves putting a backup strategy in place that is regularly tested and reported on – so that admins can easily see if something is amiss.

When thinking about an in-depth recovery plan, the ‘what’, ‘why’, ‘how’ and most importantly the ‘who’ need to be answered to ensure the strategy is suitable for the company. This involves classifying your data – knowing what protection your data needs, where the data resides, how up to-date it is and how its currently protected. As well as who has access to it.

Based on the previous sentence, my brain wants to equate this one to what, why, how and who but it doesn’t quite align that way. Can you revise?

Once an understanding is developed of which systems and data need to be available immediately and which can wait a few days or weeks, businesses can plan their disaster recovery strategy and choose the right backup solutions and schedules. Businesses should also evaluate whether a largescale recovery is within in the capability of the IT team. If not, there should be a trusted partner included into the recovery plan.

Educate your employees

Employees need to be prepared and understand how to react to a situation such as a malware attack, what logical steps and processes are required to ensure there is as little damage as possible – and crucially, what they can do to help the business avoid such an attack in the first place.

Security awareness training is the most effective way to address the common threat vectors that lead to successful malware and ransomware attacks. A comprehensive and consistent education program will improve employee vigilance and help to defend endpoints.

Training employees with phishing simulations is more effective when conducted more frequently, and we’ve found that after 12 sessions click rates on malicious links and attachments can drop up to 50%.

Ultimately, those working within an organization are just as important as the technology being used. Regular discussions amongst teams around how to communicate if an attack does happen will help determine who will be responsible for what, which systems should be brought into recovery process, and when. This makes the process smoother and allows for productivity and normal operations to return more quickly and efficiently.

Install reputable cybersecurity software

By adopting cybersecurity solutions that use real time threat intelligence and multi-layered shielding to detect and prevent multiple kinds of attacks, businesses will know that they have a robust hold on their cybersecurity plan and will be able to recover from any form of malware attack.

Additionally, businesses may choose to ensure cyber resilience by undertaking an external security audit to identify software vulnerabilities, implementing two-factor or multi-factor authentication to minimize credential theft, and deploying internet threat intelligence and DNS filtering to block malicious sites.

Businesses can modernize their organization and ensure they remain resilient to different types of attacks by analyzing their cybersecurity technology stack and revamping where needed.

The implications for businesses of not having these protections in place can be wide-ranging and devastating: from losing critically important data, to the heavy cost of replacing hardware, rebuilding software or reconstituting data.

However, these costs can pale in comparison to the potential lost revenue or reputation if a business must close its doors due to an outage. Although Emotet is now gone, the worst thing a business could do is rest on its laurels when it comes to back-up and cybersecurity policies.

Kelvin Murray

Kelvin Murray is a Senior Threat Researcher at Webroot. He has over en years of experience in that domain