US regulators order banks to report cyberattacks within 36 hours
Hackers deploy Linux malware, web skimmer on e-commerce servers
Six million Sky routers exposed to takeover attacks for 17 months
Microsoft: Windows Installer breaks apps after updates, repairs
The Week in Ransomware – November 19th 2021 – Targeting Conti
Some Tesla owners unable to unlock cars due to server errors
Emotet botnet comeback orchestrated by Conti ransomware gang
New Windows 11 build fixes Microsoft Installer issue breaking apps
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Emotet botnet comeback hatched by ex-Ryuk member part of Conti ransomware
The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang.
Security researchers at intelligence company Advanced Intelligence (AdvIntel) believe that restarting the project was driven by the void Emotet itself left behind on the high-quality initial access market after law enforcement took it down ten months ago.
The revival of the botnet follows a long period of malware loader shortage and the decline of decentralized ransomware operations that allowed organized crime syndicates to rise again.
Considered the most widely distributed malware, Emotet acted as a malware loader that provided other malware operators initial access to infected systems that were assessed as valuable.
Qbot and TrickBot, in particular, were Emotet’s main customers and used their access to deploy ransomware (e.g. Ryuk, Conti, ProLock, Egregor, DoppelPaymer, and others).
“Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialization for the needs of specific customers” – AdvIntel
The botnet operators provided initial access at an industrial scale, so many malware operations depended on Emotet for their attacks, especially those in the so-called Emotet-TrickBot-Ryuk triad.
Ryuk is the predecessor of Conti ransomware. The switch occurred last year when Conti activity started to increase and Ryuk detections dwindled down. The operators of both ransomware strains have a long history of attacks hitting organizations in the healthcare and education sector.
AdvIntel researchers say that once Emotet disappeared from the scene, top-tier cybercriminal groups, like Conti (loaded by TrickBot and BazarLoader) and DoppelPaymer (loaded by Dridex) were left without a viable option for high-quality initial access.
“This discrepancy between supply and demand makes Emotet’s resurgence important. As this botnet returns, it can majorly impact the entire security environment by matching the ransomware groups’ fundamental gap” – AdvIntel
The researchers believe that one reason that contributed to multiple ransomware-as-a-service (RaaS) operations shutting down this year (Babuk, DarkSide, BlackMatter, REvil, Avaddon) was that affiliates used low-level access sellers and brokers (RDP, vulnerable VPN, poor quality spam).
With competitors leaving the ransomware business, the “traditional groups” such as Conti (previously Ryuk) and EvilCorp climbed up the ladder once again, attracting “the talented malware specialists who are massively leaving disbanded RaaSes.”
The Conti group, with at least one Ryuk former member on board and in partnership with Emotet’s biggest client, TrickBot, was in the best position to ask Emotet operators for a comeback.
AdvIntel researchers are confident that the Conti group will deliver their payload to high-value targets via Emotet once the botnet grows, and will become a dominant player on the ransomware scene.
Since partnerships yield the best results, as shown by the Emotet-TrickBot-Ryuk alliance in 2019 and 2020, a new triad may soon rise above other operations, with Conti ransomware as the final payload.
Emotet malware is back and rebuilding its botnet via TrickBot
TrickBot teams up with Shatak phishers for Conti ransomware attacks
FIN12 hits healthcare with quick and focused ransomware attacks
Here are the new Emotet spam campaigns hitting mailboxes worldwide
Lockean multi-ransomware affiliates linked to attacks on French orgs
Not a member yet? Register Now
Winamp prepares a relaunch, new beta version almost ready
Hackers deploy Linux malware, web skimmer on e-commerce servers
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

New Windows 11 Voice Access lets you control the OS with your voice

Emotet now drops Cobalt Strike, fast forwards ransomware attacksSonicWall ‘strongly urges’ customers…

Microsoft: Office 365 will boost default protection for all users

Microsoft: Office 365 will boost default protection for all usersMicrosoft increases Windows…

DHS announces 'Hack DHS' bug bounty program for vetted researchers

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

XE Group exposed for eight years of hacking, credit card theft

Emotet now drops Cobalt Strike, fast forwards ransomware attacksSonicWall ‘strongly urges’ customers…