Emotet's comeback is getting a boost from fellow botnet TrickBot

An IT technician adjusts a cable in a server room in a British business office in London, United Kingdom. (Photo by In Pictures Ltd./Corbis via Getty Images)


Written by

The resurgence of the botnet Emotet after a law enforcement takedown earlier this year is getting a boost from fellow crime group TrickBot, researchers at Check Point have found.

Since November, Check Point has identified 113 new Emotet targets in the first week of December, nearly half its infection right before it was taken down.

Emotet attempted to infect 657 new organizations (219 per week) during January 2020. And it was already at 113 new targets in the first week of December 2020. This means that in 3 weeks since its comeback, Emotet already gained 50% of its infection rate before it was taken down.

The samples of the Emotet malware are being delivered via servers that TrickBot infected in mid-November. A number of other researchers have confirmed Emotet’s return and have observed TrickBot distributing the malware.

Emotet received a series of debilitating blows last year at the hands of law enforcement. In January, U.S. and European authorities took control of the botnet’s network of infected computers and arrested several of its operators. Authorities followed that January takedown with an operation to corrupt the malware in April. Emotet essentially disappeared off the map at that point.

TrickBot also suffered a blow ahead of the 2020 U.S. election. Both Microsoft and U.S. Cyber Command launched separate operations to disrupt TrickBot’s network. But unlike Emotet, TrickBot rebounded quickly. Since TrickBot’s takedown, Check Point has identified 140,000 victims across 149 countries. The majority of TrickBot’s victims are focused in Portugal and the United States. TrickBot has also been tied to other major malware families including Ryuk and Conti ransomware.

Emotet has piggybacked off that growing network for its own rapid ascent. Both groups are well known with renting out their infrastructure to ransomware groups, a bad sign for the state of ransomware in 2022.

“Emotet is our best indicator for future ransomware attacks. We should treat Emotet and Trickbot infections like they are ransomware,” Lotem Finkelstein, head of threat intelligence at Check Point Software said in a statement. “Otherwise, it is only a matter of time before we have to deal with an actual ransomware attack.”

-In this Story-

emotet, ransomware, TrickBot