Detected attacks using the Emotet Trojan soared by over 1200% from Q2 to the third quarter of this year, supporting a surge in ransomware campaigns, according to the latest data from HP Inc.
Powered by its acquisition of Bromium, the firm’s HP Sure Click unit captures malware at the endpoint and runs it inside secure containers.
These installations picked out a “large and sustained increase in malicious spam campaigns” spreading Emotet, especially in August. Emotet is often used as a loader, providing access to third-party threat groups to deploy secondary TrickBot and QakBot infections as well as human-operated ransomware.
In the case of the latter threat, actors often use access to victim networks provided by Emotet to perform reconnaissance as the first stage in attacks.
HP Inc senior malware analyst, Alex Holland, warned that according to current patterns, Emotet is likely to appear in weekly spam runs until early 2021.
“The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organizations they have breached — such as size and revenue — to appeal to buyers,” he added.
“Ransomware operators in particular are becoming increasingly targeted in their approach to maximize potential payments, moving away from their usual spray-and-pray tactics. This has contributed to the rise in average ransomware payments, which has increased by 60%.”
Japan and Australia were hit particularly hard by this uptick in Emotet activity, accounting for 32% and 20% of recipients, according to an analysis of the TLDs the malware was sent to.
Attackers typically used “thread hijacking” techniques, where a user’s inbox is compromised and monitored so that Emotet can reply to a legitimate email with malicious attachments or links. This makes success more likely, according to HP Inc.
The recent surge in ransomware infections at US hospitals was closely linked to the activity of another notorious Trojan, TrickBot, which is often used in concert with Emotet.