Description
Security researchers have recently found that the Emotet botnet is now being utilized to distribute the Quantum and Blackcat ransomware after the disband of the Conti ransomware operations.
Summary
The Emotet malware rose to the forefront as a banking Trojan in 2014, originally designed to sneak on to a device and steal sensitive and private information. Later versions of the malware, however, saw the inclusion of spam activities, C2 communication and malware delivery services such as delivery of other banking Trojans and ransomware. The typical attack pattern used now entails the use of Emotet as the initial vector to drop Cobalt Strike, which is then used as a post-exploitation tool for other malware. Emotet is spread through spam emails that includes either a malicious script, macro-enabled document or malicious link. It also features software evasion techniques and has the ability to spread laterally on a network.
Recently from November 2021 to June 2022, Emotet was solely used to distribute the Conti ransomware tool until the Conti organization was shut down. From then on, Emotet is now used to distribute the Quantum and Blackcat ransomware. Both ransomwares are classified as ransomware as a service (RaaS), which is a business model that enables threat actors to purchase subscriptions to a ransomware for executing attacks. The BlackCat ransomware activities was seen since 2021 and the new Quantum ransomware was seen in early 2022.
Remediation
To circumvent this type of malware, users are advised to follow the steps below:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Emotet botnet distributes Quantum and BlackCat ransomware.pdf
References