Emotet’s seven-year reign of terror will come to an end Sunday, April 25, 2021 – at least in theory, when law enforcement completes a scheduled mass uninstallation of its infrastructure.
A ‘scheduled uninstallation.’ Talk about going out with a whimper – that almost seems like an anticlimactic ending for the malware that security pros like Vectra President and CEO Hitesh Sheth bemoan for the havoc it wreaked; Emotet delivered Trickbot, Ryuk and the QakBot banking trojan to victim organizations all around the globe.
The welcomed seizure of the Emotet’s infrastructure is, of course, gratifying, Sheth said. But, he pointed out, no one knows “how many malware cousins of Emotet are doing more damage right now.” That sentiment is shared by researchers at Digital Shadows, who wrote today that “the rather sizable gap in the cybercriminal landscape left by Emotet begs the question; who will claim this space?”
There’s no shortage of contenders to choose from. Pointing to recent campaigns by state-sponsored APTs around Pulse Secure, Dirk Schrader, global vice president, security research at New Net Technologies, said cybercriminals will copy that method as well, so he expects “the next quite powerful malware strain is coming, for sure.”
When – and if – the next strain will rise to Emotet’s level remains to be seen. The malware reportedly controlled more than one million machines, Digital Shadows researchers noted, and raked in more than $2 billion in seven years. In the U.S. alone, state, local, tribal and territorial governments ponied up $1 million per incident to resolve the damage left in Emotet’s wake.
The malware has elevated variants like TrickBot and Ryuk into technically sophisticated and operationally capable weapons in their own right – and Digital Shadows researchers said their long-term activity is unlikely to be “significantly” harmed once the uninstallation is a done deal.
BazarCall and IcedID malware variants have already begun to surge (though they took a dip in April). The former distributes BazarLoader and BazarBackdoor, which in turn deploys Ryuk. “Given that technically sophisticated and operationally capable cybercriminals are likely opportunistic,” they’re unlikely to pass up an opportunity to fill the void left by Emotet, the researchers said.
“This will almost certainly remain the same in the future; the problem does not end with Emotet, but don’t let this convince you that defenders and law enforcement alike will be hot on the tails of any group ambitious enough to replace it,” they wrote.
That Emotet is about to be removed, “due to the latest module ‘dropped’ on an infected system,” doesn’t “guarantee that everything is removed,” said Schrader, who warns that “additional control channels might remain.”
It would be helpful, he said, if a system’s owner is alerted that it might need further forensic analysis.
No matter what malware strains might emerge to fill Emotet’s shoes, law enforcement and the industry can’t take seven years to bring it down. The damage done by Emotet in less than a decade is “alarming,” said Sheth. “None of us know how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”
Paring down the time it takes to neutralize threats relies, in large part, on “international cooperation for cybersecurity plus better response time,” he said. Those elements are essential to resolving any security issue – everything moves so fast that all factions must work in concert – across borders, across industries, across law enforcement organizations and across public and private sectors.
At the individual organization level, Shrader said, “the mantra remains, keep a tight control of your infrastructure, monitor system integrity, control changes, check for vulnerabilities, do your best to reduce your attack surface.” Don’t just chant it, though. Do it.