[German]For six months, security specialists rolled out a kind of vaccine (EmoCrash) against the ransomware Emotet for authorities and operators of critical infrastructures. EmoCrash takes advantage of a bug in Emotet to protect systems from infection. It was not until the beginning of August 2020 that the Emotet gang succeeded in switching off EmoCrash.
Emotet at a glance
Emotet is an extortion Trojan (ransomware) that is distributed by email, then infects systems and blackmails the victims. The malware first appeared as a minor banking Trojan in 2014. Since then, the malware has evolved from an insignificant banking Trojan into a kind of Swiss army knife of the ransomware scene. After infecting victims, the malware can spread over their entire network, steal sensitive data and encrypt files.
The backers, suspected in the former Soviet Union, now rent out access to the infected hosts to other groups. Botnet-driven spam campaigns have been running for months to spread emotet and extort ransom money. The gang is quite successful and has been able to collect millions in ransom money.
A bug found within the malware …
All software contains bugs – Emotet contained a vulnerability that allowed cyber security researchers to activate a kill switch. I had already noticed a few days ago that security researchers had found a bug in the emotet ransomware that allowed the malware to be leveraged. But the approach that had been going on for the last six months in terms of 'vaccination against emotet' had stayed under my radar. A few hours ago I saw the following tweet.
Hey guys, since #Emotet changed and patched this, I could finally write about the 0-day I found in #Emotet's Explorer installation code, and the subsequent vaccine that we (@Binary_Defense ) released.https://t.co/EWtWkbMD6Q
Many thanks to @teamcymru for their help with this!
— James Quinn (@lazyactivist192) August 14, 2020
A kill switch found by James Quinn made it possible to prevent the malware from infecting systems for six months. According to the article, the defence software was made available to all federal and state administration authorities as well as KRITIS companies in a non public manner. The kill switch was active for 182 days between February 6, 2020 and August 6, 2020 before the malware authors patched their malware and bypassed the kill switch. Further details may be found in this Binary Defence blog post.
Cookies helps to fund this blog: Cookie settings