Why Emotet Waves Keep Crashing and How to Make Them Stop

Emotet is one of the most dangerous and persistent cyberthreats currently in the wild. With a track record of hundreds of thousands of variants thus far, it is also responsible for 45% of URLs that were used to download malware. It has been used as an early stage infection in many of the most notorious recent ransomware attacks which successfully breached top-tier organizations despite their rigorous security controls.

The way Emotet operates as a campaign is one of the main reasons for its success. On a purely technical perspective it has a lot of capabilities; it’s evasive and sophisticated, but even that is not enough to fully explain its success. If you look at its modus-operandi you can identify how it’s been able to get a successful edge over and above other equally sophisticated malware campaigns.

Long Moments of Moratorium

Emotet’s activity has always come in waves. These waves represent short periods of high-volume activity and then long periods of no activity, where they have gone silent, at times, for several months.

This pattern of operating with short bursts of activity, entails that each time Emotet appears it is with new and improved infrastructure — designed with new evasion techniques, new C2 servers and URLs, along with a list of new targets. This ability to constantly re-create itself is what makes Emotet persistently successful over a long period of time.

The typical course for most other malware campaigns is that they tend to experience a heyday and a period of success, but only for a limited time. Eventually, security analysts and vendors catch up with the new malware, they learn how to remediate and prevent it, and as the malware becomes more known and understood, its success rate dwindles, until inevitably it dies down.

Emotet’s ability to keep reinventing itself is what enables it to be a continual threat. In the cat and mouse game of malware, where analysts are perpetually chasing after hackers, Emotet’s ceasing of all activity over long periods of time, is really what makes it so elusive and difficult to catch. 

In that time of moratorium, the hackers learn, improve, and iterate. Emotet is increasingly becoming more evasive even by A.I. based security products. Its creators understand that most products today use some form of A.I. or machine learning models, and they work hard to develop their technics to specifically evade and bypass these models.

The creators of Emotet have realized that by pulling back, by going back to the “bunkers” to reorganize and only then coming back, do they get their edge and keep well ahead of those hunting after them. It’s a very smart methodology, and while they intentionally don’t endlessly monetize their campaigns, this methodology is clearly working.

Emotet – The Super Predator

The combined success of this mode of operation and technological innovation makes it a significant force to be reckoned with. Emotet is highly evasive and because of that has a very high infection rate. It has a track record of evading a lot of security products and operations, and for that reason we see so many other malware campaigns riding on top of Emotet.

Emotet has become the super predator that a lot of other malware campaigns ride atop of, be they financial malware, ransomware or other types of malware, like Ryuk. They are all “piggy-backing” off the top of Emotet which they use as an effective dropper to land on. Much of this malware that is dropped in a second stage of infection, often times is through an agreement, but not always.  On many occasions, after Emotet has brought down an infected machine, those who can find it, leverage it for further infection. Even for malware that would be ineffective on its own and detected straight away, once Emotet has breached the security threshold, it becomes a free for all.

This development represents a change in the business model for Emotet. Understanding the effectiveness of their malware’s operations, its creators have packaged the malware and sold it on to third parties who can take further advantage of the infected targets to drop their own malicious malware.  

This has transformed Emotet creators from being their own group, who are only sporadically monetizing from their own activity to becoming a business enterprise offering their model for use in other hackers’ campaigns. That is why we see so many campaign variants in the wild, that are all using Emotet in their first stage of operations. This gives Emotet operators two things: first, they get a share of the profits of those other malware campaigns; and second, they are still profiting off their own operations. In the process of delivering their own malware, they are harvesting more emails and targets, which compounds Emotet’s value on the dark web.

The Scale Needed for a Solution

Considering the success of Emotet and its centrality to the malware threat landscape, in terms of its enablement and scale of operations, it will take combined industry and government action to systemically resolve this threat. The decentralized use of Emotet will require a similar collaborative effort to what we’ve seen with Trickbot, where the U.S. Cyber Command branch of the Department of Defense collaborated with numerous cybersecurity companies to stem the tide of the malware’s impact.

Shutting down Emotet would include shutting down its infrastructure, working with ISPs, not just cybersecurity companies. From a law enforcement perspective, there needs to be a dedicated effort towards understanding who is behind it and creating the legal pathway for arrest and indictment of malware creators. The damage that Emotet causes justifies that level of attention and resource allocation. The only effective way to systemically take down this wide-scale threat is for nation states, their law enforcement agencies and private enterprise, to collaborate, and share their intelligence. In the failure to do that, these new malware waves will keep coming.

Print Friendly, PDF & Email
VP Research & Deep Learning at

Shimon is a cyber security expert with experience in research and operations, both offensive and defensive. Prior to joining Deep Instinct in 2016 Shimon served for 14 years as an officer in the IDF’s elite cyber unit 8200. Shimon’s background includes a wide range of cyber security and research positions, where he managed multifunctional teams of hackers, researchers and engineers. Shimon led the development of new methods and tools for the analysis of cyber-campaigns, as well as a series of innovative cyber intelligence collection capabilities. Over the years Shimon has worked extensively with a variety of industry, defense and intelligence partners and agencies in North America and Europe. He is a recipient of the President of Israel Award for Outstanding Military Service, holds a B.Sc (Magna Cum Laude) in Electrical Engineering from Ben Gurion University and MBA (Cum Laude) in Finance and Accounting from Tel Aviv University.

Leave a Reply

Your email address will not be published. Required fields are marked *