CERT-Bund/BSI Warning about Emotet-Trojan/Ransomware

[German]In the last few days there have been a number of reports of cyber incidents in German institutions that are attributed to the emotet Trojan/Ransomware. The BSI warns of the danger, especially since spam mail is sent 'on behalf of the federal authorities' with this malware in its luggage.


I've discussed the last cases in the German article Trojanerbefall in Stadt Bad Homburg und Hochschule Freiburg. But also Frankfurt and the University of Gießen were infected – although the infection in Frankfurt was probably mild – the IT systems are back in operation after a day. In the following tweet, CERT-Bund points out the danger of an infection with the Trojan Emotet.

After an infection of the Windows system, the Trojan can reload any malware and constantly converts its signatures and attack variants. It seems also that the cyber criminals behind Emotet has changed their tactics: The Trojan horse are no longer delivered in mail attachments. Instead, a link to compromised websites is sent by email. A drive-by downloader then waits on the pages or the user is tricked into to download an Emotet Trojan via a file. 

(Source: Pexels Markus Spiske CC0 Lizenz)

Nasty: German authorities infected

There is a fresh warning from the German Federal Office for Information Security (BSI). Bleeping Computer have also addressed it. According to the report, the BSI has been notified of several confirmed emotet-infections in authorities of the federal administration. 


(Source: Bleeping Computer)

The unknown attackers are currently using the data copied in the process to send fraudulent e-mails with dangerous file attachments or links on behalf of several federal authorities. Greta Thunberg is also being misused as bait in spam mail, as this article reveal – and the cyber criminals are constantly adjusting their strategy – Bleeping Computer has made it a subject of discussion here.

Prevent infection in advance

Administrators in corporate environments should take steps to block infection vectors. Here is a recommendation from CERT-Bund:

But also the following tweet from the USA indicates that infections can also occur via USB devices.

To minimize the damage in case of an infection, administrators and computer users should have emergency instructions on how to act in case of suspected infection. Within the following tweet Catalin Cimpanu recommended not to restart the system after an infection.

Instead switch to the Hibernate mode, cut the network connection and let a specialist check the isolated system for a possible infection. It will be also a good idea, to read the FAQ: Responding to an Emotet infection and prepare for the emergency case.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *