Select Page

Emotet, Ryuk, Ransomware – The Stuff of Nightmares

It’s going to be one of those days. Your CISO or head of IT looks worried and you’re getting a familiar burning sensation in your stomach as he explains the situation. He’s getting too technical – talking about “Emotet”, “Mealybug”, and something called “the infamous Ryuk gang”. You ask the question: “What can we do?” You mentally translate his answer into lost revenue and productivity. And an unpleasant conversation with your boss…

If your business connects in any way to the internet you are vulnerable to a nasty bit of malware called “Emotet”. This malware first appeared in 2014, the product of the hacker group “Mealybug”. It hides in spam emails that appear to originate from trusted vendors like PayPal or DHL. If the user opens the email and attached Word or Excel document (sometimes labeled as an “Invoice” or “receipt”) and the user’s system is connected to the internet, the embedded macro downloads additional code which harvests the machine’s address book and initiates a new batch of spam emails to all the user’s contacts, spreading the infection farther.

But that was just in Mealybug’s first generation of Emotet. After seven years the Mealybug group now runs a full-service criminal operation providing its malware as a service (MaaS) to other criminal organizations, including the aforementioned Ryuk gang, famous for their ransomware attacks on governments, academia, healthcare, manufacturing and technology companies’ digital systems. By 2017, Emotet was also being used to distribute the Trickbot Trojan that targeted US banking companies with bogus emails supposedly from a legitimate DropBox mailbox that lured the user to download a “secure document” containing various malware.

How expensive were these attacks? According to the alert sent in July 2018 by the U.S. Dept. of Homeland Security these EMOTET infections have cost the infected governmental organizations up to $1 million per incident to resolve.

Your IT folks assured you that your antivirus network guardian programs were fully up-to-date. How did this malware evade detection?

Emotet is polymorphic code. It modifies itself as it self-installs on a machine so that no two versions of the malware look the same after installation. Signature-based antivirus software looks for specific chunks of code (akin to fingerprints), but the Emotet code looks different on every new machine.

There is some good news. The website reports that in January 2021 international law enforcement isolated and captured the hundreds of distributed cloud-based servers around the globe that were being used to support Emotet’s functions. According to Europol, by April 25, 2021, the  Emotet malware was finally uninstalled from all infected devices using a module developed by the German Bundeskriminalamt (BKA) federal police agency.

Unfortunately, the shutdown of Emotet’s infrastructure was temporary. The malware reappeared four months later and as recently as December 15, 2021, the Cryptolaemus Emotet group reported (on that they were “…observing Cobalt Strike (CS) Beacons being dropped as of the last few minutes…”. Those CS modules were being directly downloaded by Emotet from its C2 (Command and Control) server for execution on the infected devices. They quickly spread laterally across the infected endpoints, steal files, and deploy malware with immediate access to the compromised networks.

On January 27th, Europol announced that they had apprehended the Ryuk group and taken down their notorious Emotet botnet. However, it is only a question of time before other cybercriminal groups fill this vacuum and start targeting more organizations.

You’d really like to avoid this outcome for your business. So, what’s to be done?

Today’s interconnected world requires a multi-pronged defense. Antivirus software is no longer sufficient. Ardent Security offers over a decade of experience helping small to large growth companies around the world proactively respond to new cyber threats. Ardent Security services include:

Vulnerability Assessment (VA): Where is the gap in the walls of your network fortress? Is your network like France’s Maginot Line – believed impregnable until the Germans slipped past it through Belgium? Quickly identify known flaws in your network.

Penetration Testing: In case of a system compromise, what can the attackers do? Adopt an assumed breach zero trust approach and have our experts test your internal network, cloud-based, mobile and web applications to know if you are secure!

Adversarial Simulation (AS): Like training a boxer, you need someone testing your defenses and responses; throwing punches and evading your best shots. Practice makes you better. Is your detection and response team efficient? We will find out together.

Cyber Security Training: Training the weakest link in the system – the human. Forewarned is fore-armed.

Compliance & Resilience planning: Specific analysis and guidance on meeting industry requirements and standards to ensure a more reliable and resilient network.

For help avoiding that dreaded conversation with your VP of Cyber Security in which he sadly informs you of the latest data breach or ransomware attack against your company, contact Ardent Security today at:


We can help.