EmoCrash protectet systems for 6 months against emotet-infections

[German]For six months, security specialists rolled out a kind of vaccine (EmoCrash) against the ransomware Emotet for authorities and operators of critical infrastructures. EmoCrash takes advantage of a bug in Emotet to protect systems from infection. It was not until the beginning of August 2020 that the Emotet gang succeeded in switching off EmoCrash.


Emotet  at a glance

Emotet is an extortion Trojan (ransomware) that is distributed by email, then infects systems and blackmails the victims. The malware first appeared as a minor banking Trojan in 2014. Since then, the malware has evolved from an insignificant banking Trojan into a kind of Swiss army knife of the ransomware scene. After infecting victims, the malware can spread over their entire network, steal sensitive data and encrypt files.

The backers, suspected in the former Soviet Union, now rent out access to the infected hosts to other groups. Botnet-driven spam campaigns have been running for months to spread emotet and extort ransom money. The gang is quite successful and has been able to collect millions in ransom money.

A bug found within the malware …

All software contains bugs – Emotet contained a vulnerability that allowed cyber security researchers to activate a kill switch. I had already noticed a few days ago that security researchers had found a bug in the emotet ransomware that allowed the malware to be leveraged. But the approach that had been going on for the last six months in terms of 'vaccination against emotet' had stayed under my radar. A few hours ago I saw the following tweet.

A kill switch found by James Quinn made it possible to prevent the malware from infecting systems for six months. According to the article, the defence software was made available to all federal and state administration authorities as well as KRITIS companies in a non public manner. The kill switch was active for 182 days between February 6, 2020 and August 6, 2020 before the malware authors patched their malware and bypassed the kill switch. Further details may be found in this Binary Defence blog post.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *