We would like to bring to your attention that there is a variant of malware that is seen to be one of the most costly and destructive threats to businesses right now, called Emotet. Emotet is not a new piece of malware, but it’s one that’s become steadily more complex and destructive over the years.
What is Emotet?
Emotet is a very sophisticated threat that, once in, can quickly infect an entire organisation. Like other threats it spreads without the aid of a user, enabling it to wreak widespread damage.
Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.
Once on a computer Emotet has three main goals:
- Spread onto as many machines as possible.
- Send Malicious emails to infect other organisations (damaging your sender reputation in the process).
- Download a malware payload. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next login.
In many cases Emotet also tries to steal data, turning a malware infection into a data breach. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam. Others inspect your web browser, stealing histories and saved usernames and passwords.
What makes Emotet so dangerous?
Emotet earns its reputation as one of the most costly and destructive threats for several reasons.
- It only needs one computer that’s not fully protected to infect an entire organisation. Once it gets in, it quickly spreads laterally across the network.
- It constantly evolves. The cyber crooks behind this threat work 24/7, publishing multiple new variants and call-home addresses every single day.
- It keeps re-infecting. Emotet constantly tries to spread, often re-infecting machines that have been cleaned up
How can you stop Emotet in its tracks?
Protecting your EndPoints
Sophos InterceptX Advanced uses the power of advance machine learning to identify and block Emotet files, even new variants that have never been seen before for your endpoints. With the EDR or endpoint detection and response it will also give you full visibility of how the threat got in and every step of the attack and what machines have been impacted.
Protecting your Network
Sophos XG Firewall’s advanced sandboxing examines the executable files. The HIPS behavioural monitoring detects Emotet, blocking it from entering the organization. XG also blocks all known IP addresses associated with Emotet. XG Firewall also includes technologies to help prevent a threat like Emotet from
stealing data or communicating out. The Advanced Threat Protection (ATP) capability monitors all traffic leaving the firewall for signs that it’s communicating with malware servers, command and control servers, or hacker systems and instantly identifies the machine and threat.
InterceptX and XG Firewall provides Synchronised security
Intercept X protects your endpoints against Emotet, and XG Firewall secures you at the network level. Individually, they offer the best protection around. Together they take protection to a whole new level that Sophos call Synchronized Security.
With Synchronized Security, Sophos products work together to identify and contain threats like Emotet. It’s all done automatically, zero-touch, in seconds. Intercept X and XG Firewall share real-time security information via a Security Heartbeat and automatically respond thanks to dynamic policies in the Firewall.
If Intercept X detects Emotet, it alerts XG Firewall, which then instantly isolates the machine – both from the outside world and also from other endpoints, even if they are on the same network segment or switch, preventing lateral movement.
It also works the other way round: if XG Firewall detects Emotet or one of it’s payloads like TrickBot through IPS or ATP, it will inform the endpoint and automatically isolate the infected machine directly.
If you would like more information about the Sophos solutions detailed in this email please get in touch and our team will be able to assist.