Emotet Giving Ransomeware A Run For Its Money As Biggest Security Threat

The rise of polymorphic types of malware like Emotet has prompted the industry to invest heavily in signature-less detection and response tools, Sophos leaders said.

Even though variants of the Emotet banking trojan date all the way back to 2014, SophosLabs continues to see between 300 and 400 different variants of Emotet each and every day, according to Dean Shroll, director of sales engineering, Central, at Sophos.

Emotet is an example of polymorphic malware, meaning it changes a little bit each and every time it hops from one computer to the next, making it impossible for old-school, signature-based anti-virus tools to detect the malware, said Ryan Archer, director of sales engineering, East, at Sophos (pictured).

[Related: Sophos Buys Startup Avid Secure To Bolster Public Cloud Protection]

"It's starting to really impact businesses," Archer said Saturday during XChange University: IT Security, hosted by CRN parent The Channel Company. "It's literally a huge game of whack a mole."

Archer likened Emotet to the battering ram used by SWAT teams to gain access to a property. Emotet is really good at spreading, Archer said, and has been designed to lay low every so often so that the human thinks it's been eradicated.

Emotet is primarily used to secure and maintain access to a machine, Archer said, allowing the adversary to do anything from inserting ransomware to stealing intellectual property so long as that access is maintained.

The stakes around Emotet are significantly heightened once it's able to get onto machines, connect back to command and control, and learn more about customer environments, Shroll said. For instance, Shroll said the adversaries will push for huge payouts if they ended up infiltrating a health care organization given how costly data exposure is in that vertical.

"Emotet is one we're seeing very quickly catch up with ransomware," Archer said. "Ransomware is still going to be the biggest one because it's such a moneymaker… [But] Emotet is that door-breacher to get in."

Businesses looking to combat Emotet need to monitor activity at the file and network level since it's constantly modifying its appearance, according to Michael Knight, a cybersecurity industry veteran and longtime solution provider executive.

"You need to have a network-aware and action-aware platform to handle Emotet," Knight said.

Knight said endpoint detection and response (EDR) vendors are able to layer in additional levels of security since they possess a massive grid of information and can spot potential areas of danger using predictive technology.

Malware burst onto the scene in 2007 after a Caltech student wrote code for polymorphic malware, according to Archer. The malware's ability to take different forms changed the entire anti-virus industry, Archer said, making it so that having signatures wasn't enough anymore.

The polymorphic shift means that SophosLabs now sees 400,000 different bits of malware every day, according to Archer.

"A lot of times, it's just a variant of something that's existed for many, many years," Archer said. "But they're able to just go in and tweak it a little bit."

Organizations need to turn to SIEM (security information and event management) or EDR tools once a threat actor has successfully infiltrated their environment, Shroll said. Small businesses, however, almost always struggle with deploying SIEM properly and dedicating the manpower needed to monitor it effectively, according to Shroll.

Shroll believes EDR holds a lot of potential once an adversary is in the customer's environment and the client needs assistance with anomalous detection.

"At that point, security has already failed or they've found another way in, and that's where it gets really critical to get that information so that you can protect it," Shroll said.