Financial Services Malware Just Won’t Die: What to Do About It?

If financial services cybersecurity professionals don’t already have enough to worry about between new threats and evolving tactics, the continued reemergence of the Emotet malware shows the importance of continuing to defend against cyberattacks we once thought were defeated.

Emotet is back

First discovered in 2014, Emotet has returned multiple times, prompting Europol to describe it as “one of the most professional and long-lasting cybercrime services out there.” Europol issued that statement in January 2021, after law enforcement agencies from eight countries announced they had taken control of the Emotet infrastructure “in an international coordinated action.” 

However, Emotet then resurfaced in November 2021. Akamai also saw a strong increase in Emotet infections in the wild in February, July, and October 2021 by monitoring websites associated with Emotet malware. 

Most-reported malware

Unsurprisingly, the Financial Services Information Sharing and Analysis Center determined that Emotet was the most-reported malware by financial organizations in 2020. The FBI, which participated in the coordinated takedown of Emotet infrastructure, identified more than 45,000 computers and networks in the United States that had been affected by the malware.

The Emotet trojan typically spreads via phishing emails, launching its service once a user clicks a link that opens a macro-enabled attachment. The malware is particularly evasive and hard to detect, thanks to its ability to cover its tracks by blending in to general email communications by using reconnaissance methodologies. 

More specifically, the trojan is capable of accessing old email messages in a victim’s inbox and, by replying to them, adding itself to an existing email conversation. Purporting to be a legitimate correspondent, it then sends along a malicious attachment. 

Rather than inflicting damage on a victim’s device, it primarily functions as a downloader or dropper of other malware code. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) describes it as “a polymorphic banking Trojan that can evade typical signature-based detection.”

Although Microsoft closed off one vulnerability in March by blocking internet-sourced Visual Basics for Applications macros by default in July, attackers are still finding their way in.

Crimeware for the asking

Emotet is an early example of malware as a service — basically a loader for hire that cyberattackers can rent to deliver their own malware. Dubbed the “triple threat” by many security experts, it has been used to deliver the TrickBot malware, which in turn has been used to unleash Ryuk attacks that reportedly accounted for one-third of all ransomware attacks in 2020.

This is a clear example of the organized crime characteristics of cyberattacks. An underground ecosystem of cybercriminals connects individual malevolent actors with sophisticated criminal syndicates that operate networks of infected computers — or botnets  — that can be controlled from a centralized computer to deploy attacks.

Advising end users to avoid clicking these baited links can only go so far in deterring cyberattacks. There is no realistic way to ensure that all enterprise systems are fully secure. When one system is infected, the malware quickly tries to move laterally through the network to find more targets of opportunity.

Focus on the organization’s crown jewels

Financial services organizations must focus their security efforts on protecting their “crown jewels” —  their most sensitive, mission-critical data — and deterring lateral movement of ransomware and malware. 

Move to a Zero Trust security model

A Zero Trust security architecture replaces a perimeter-centric security architecture. It ensures that security and access decisions are dynamically enforced on the basis of identity, device, and user context. A Zero Trust security framework also dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the internet. 

Improve data protection and security

Akamai helps organizations transition to a Zero Trust security architecture with a portfolio of cybersecurity solutions including:

• Akamai Guardicore Segmentation, which allows security professionals to easily set up control policies to detect breaches and stop the spread of ransomware before attackers can gain access to your infrastructure and applications.

• Secure Internet Access, a secure web gateway, which proactively identifies, blocks, and mitigates targeted threats such as malware and phishing.

• Zero Trust Network Access, a cloud-delivered, identity-aware, high-performance service for secure application access to reduce the reliance on cumbersome and insecure virtual private networks. 

• Akamai MFA, which delivers strong user authentication with phish-proof multi-factor authentication.

• App & API Protector, a cloud-based web application firewall with constantly updated application-layer firewall protections.

The resurgence of Emotet is a testament to how cyberattackers continue to evolve tried-and-true malware, while also developing new threats. It takes coordinated industry threat intelligence, advanced technology solutions, and human analysis to keep evolving defenses at the same pace.