What is Emotet malware? And what does it do?


Emotet is so-called “polymorphic malware” – which constantly adapts itself to avoid detection. The malware is often used by cyber criminals as a springboard to gain access to corporate environments. Once inside, attackers often look for ways to gain further access to the network.

What can you do as an organization to protect yourself from Emotet (and other polymorphic malware)? And what if your organization is affected by Emotet, QuackBot, Dridex or other malware?

Ransomware by Emotet infection

As a business owner, you don’t want to think about your organization’s files being encrypted by an internet criminal – but unfortunately, it’s happening more and more often. Emotet, QuackBot, Dridex and other malware are often used as springboards to hack a network and then deploy ransomware. There are now even providers that offer ransomware as a Software-as-a-Service (SaaS) solution – this is also known as Ransomware-as-a-Service (RaaS). In this process, a ransomware creator sells a software package, this software package is then used by other criminals to attack victims.

Protect yourself against malware

It is important for organizations to better guard against malware like Emotet and its consequences. These tips can help ensure that your organization is more resilient to polymorphic malware.

  1. Make backups using the 3-2-1 principle

The 3-2-1 backup principle is certainly not a luxury; the principle is as follows:

  • Make sure you have 3 copies of your most important data
  • Keep backups on at least 2 different media (e.g., hard drive and tapes)
  • Store 1 copy outside the door

3 copies of your most important data
Make sure you store important data securely in three different locations. So not in the same folder or on the same disk. The more copies you make of your data in different locations, the lower the risk of losing the data becomes. Also check that IT administrator is backing up your data.

2 different storage media
If several copies have been made, it is obviously not convenient to keep them on the same device. In an age where viruses, malware and hackers are the order of the day, you run the risk (and it’s risk is high if you haven’t secured it properly) of losing all the data on the device where you stored it. Therefore, make sure you have a copy on at least two different storage media. For example, a NAS but also tapes.

1 backup offsite
Finally, it is important to have physical separation for your third copy. So make sure you don’t keep all the data in the same physical location. For example, keep in mind that a fire could break out or be broken into.

  1. Provide a behavior-based antivirus/EDR solution

It is important to use a behavior-based antivirus or EDR solution within the organization – because polymorphic malware tries to hide itself by constantly adapting itself, it is often best detected by looking at its behavior. New and modern antivirus/EDR solutions look not only at whether they have detected a threat in the past, but also whether they can detect certain behaviors of a program that may be rogue.

  1. Have a digital burglar alarm installed

In order to detect if an attacker may be trying to get in, it is important to apply some form of security monitoring to the corporate network. This is just as important as having an alarm system for your office building. Security monitoring involves monitoring traffic to detect attackers. So a kind of digital burglar alarm.

Want to know if your company is resilient to Emotet?

Do you want to know to what extent your company network is technically resilient to hackers? Please contact us. We are happy to assist you and will do everything we can to assist your organization at all times in the IT-Security field!

Security incident? Get acquainted with incident response

Our incident response team is available 24/7 to identify and resolve any cyber incident

The media come up with news about cyber-attacks, data breaches or ICT failures caused by suspected cyber-attacks on a daily basis. It turns out that organizations are often poorly prepared for such a cyber incident. This is unwise because such incidents can cause huge disruptions. Today, any organization can fall victim to a cyber attack due to exploited vulnerabilities in its own network or in those of software vendors. These are usually not specifically targeted at your organization, but in some cases the attacks do target a specific organization.

Read more: How can your organization prepare for a cyber incident?

Ransomware is on the rise, no one will deny that anymore. Where once the goal was to gain access to bank accounts, attackers are now getting paid to decrypt victims’ files.

Read more: How do you prevent your organization from becoming infected with ransomware?

  • Triage: the aim of this step is to identify the source(s) and affected devices and/or systems, set priorities based on these and determine the plan of approach for further research. At the same time, data is safeguarded in a forensic way for possible further investigation.
  • Containment:this process involves restoring affected devices and/or systems and verifying security so normal operations can resume.
  • Post incident activities: When the incident is resolved, a forensic investigation report is prepared. The report proposes solutions to prevent a similar event from occurring in the future. NFIR can also support and/or advise in the communication towards the Data Protection Authority, attorney at law and other parties involved.

The NFIR team consists of a team of digital forensic investigators, ethical hackers and team leads who have extensive experience with cyber security incident response. After notification of the security incident, a team is put together that expresses its opinion. The size of the team depends on the type of cyber incidents. Of course, all members of the team will work forensically during this process.

We stand for communicating in clear language with our customers. In this way we also report our findings. In addition, we aspire to the ‘numbers tell the tale’ approach, which enables us to help you in a targeted way by means of various types of research. The approach also includes further development of our services. As a result, our services keep in line with changing practice.

NFIR stands for offering technical and organisational support, security services and training. With our knowledge and experience we can provide you with technical advice and advise you on the procedures and processes of information security. Enabling NFIR helps you to increase the resilience of your organisation’s cyber security in several areas.