Emotet: The Cyber Threat That Costs an Average of $1 Million Per Incident

The Government agency Europol recently reported a victory in its efforts to stop the particularly dangerous Emotet malware, taking down hundreds of servers that were allowing it to operate.  However, businesses shouldn’t get complacent and assume they can’t be affected. We take a look at what Emotet is, how it’s spread and how to try and guard against it.

What is Emotet?

Emotet is a computer malware program that was originally developed in the form of a banking Trojan. It was first detected in 2014 when customers of German and Austrian banks were affected.  Emotet is a bot/zombie meaning that it communicates with command-and-control servers operated by cybercriminals and as such, can be given new instructions.

How does it spread?

Emotet has traditionally been spread via infected Word documents in emails (phishing) using a number of different lures over time to trick the recipient into clicking on the infected link.  Past email campaigns have included invoices, shipping notices and information about COVID-19.

It has been reported that Emotet is able to continue spreading by using ‘Outlook harvesting’, whereby the Trojan reads emails from users already affected and creates its own (deceptively real) emails, containing an infected Word document with a malicious link that appears legitimate and personal and stands out from ordinary spam emails. Emotet is then able to send these phishing emails to stored contacts like friends, family members, and work colleagues.

Bots/Zombies can work together to form a ‘Botnet’.

The infrastructure that has been created by victims who have downloaded Emotet’s bots/zombie malware can allow a cyber-criminal to use a group of zombie computers as part of a whole botnet i.e., a number of internet-connected devices, each of which is running one or more bots, to launch a variety of different attacks.  This is because once a computer has become infected it is added to the Emotet botnet which uses the particular computer as a downloader for other threats.

When a device is infected (e.g. due to someone clicking on the link in the infected Word document sent via email), a botnet of Emotet infected machines is used to penetrate associated systems using brute-force attacks (DDoS, mass spam emails, click fraud in adverts and more). Emotet then delivers modules to extract passwords from local apps and spreads sideways to other computers on the same network as well as stealing entire email threads to be reused for spam campaigns. It can also be used to provide Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers.

Why is it so dangerous?

There are several factors that have made Emotet a particularly dangerous threat.  These include:

  • It’s polymorphic. This means that its code changes a little every time it is accessed. In this way, it is able to keep evading anti-virus programs.
  • The fact that it continually adds infected devices to an ever-growing botnet (Emotnet) and checks back for more instructions means that it is essentially a growing infrastructure that can be repeatedly exploited by cybercriminals, as and when they wish.
  • As of February last year, researchers Binary Search discovered that Emotet can attack Wi-Fi networks, then scan all wireless networks nearby and use a password list to try and gain access to those networks and the devices on them.  This gives it incredible potential spreading power.
  • The extent of the damage that it causes makes the clean-up operation for Emotet is very expensive.  For example, in the US, the Department of Homeland Security estimates that the cost of the clean-up for Emotet attacks is estimated at around one million US dollars per incident.


Although there is no 100 per cent guaranteed way to protect against a constantly changing polymorphic Trojan like Emotet, there are some measures that can be taken to minimise infection risk.  These include:

  • Keep up to date with all computer and security updates and make sure that anti-virus software is up to date.
  • Make sure that your data is being regularly backed up to a secure location.
  • Only use very strong passwords and don’t share them between different accounts.
  • Set computers to display file extensions by default, thereby allowing possible detection of dubious files, e.g. self-extracting zipped executable files (.exe).

Recent developments

Europol claims that because of co-ordinated action between itself and Eurojust (the European Union Agency for Criminal Justice Cooperation) it has managed to seriously disrupt the Emotet infrastructure, thereby significantly reducing the threat.  Europol says that a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine means that investigators have taken control of the Emotet infrastructure thereby disrupting “one of most significant botnets of the past decade”.

If you have any concerns please feel free to contact us.

For more information on our cyber security services, please click here.