Quantum, BlackCat ransomware gangs breach organizations with Emotet botnet

According to security researchers from AdvIntel, ransomware gangs such as Quantum and BlackCat are now using the Emotet malware in attacks.

Emotet started as a banking Trojan in 2014 and although it has developed over the years into a sophisticated botnet, it has been closely associated with the Conti ransomware gang.

The functionality of Emotet helps to avoid detection by some anti-malware products. Emotet uses worm-like capabilities to help spread to other connected computers.

Emotet is a Trojan that is primarily distributed via spam e-mail and can trigger the infection either via malicious scripts, macro-enabled document files or malicious links.

“From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” AdvIntel said in an advisory.

It is believed that the members of the now disbanded Conti ransomware gang are either part of other ransomware gangs such as BlackCat and Hive or as independent groups that focus on data extortion and other criminal enterprises.

According to AdvIntel, more than 1,267,000 Emotet infections have been observed worldwide since the beginning of the year, with activity peaks recorded in February and March. Typical attack sequences include the use of Emotet (aka SpmTools) as the first access vector to drop Cobalt Strike, which is then used as a post exploitation tool for ransomware operations.

A second increase, attributed to Quantum and BlackCat, occurred between June and July. Data show that the US, Finland, Brazil, the Netherlands and France are among the countries most targeted by Emotet.

Emotet is now used to deliver more banking Trojans. Early versions of Emotet were used to attack bank customers in Germany, while later versions of Emotet targeted organizations in Canada, the United Kingdom and the United States.

Below are tips to protect users from Emotet

1. Keep computers/endpoints up to date with the latest patches.

2. Do not download any suspicious attachments or click on a dodgy looking link.

3. User training on strong password creation.

4. Robust cybersecurity program.

The sources for this piece include an article in BleepingComputer.