Security Alert
Jonathan Crowe
Mar 2018

Emotet Attack Costs City of Allentown, PA $1 Million

allentown-pa-emotet-malware

Photo by Barry Cruver

Key Details

  • What's happening: A new wave of spam campaigns is infecting victims with Emotet, a dangerous credential-stealing trojan that hijacks infected machines and uses them to spread itself. Emails are disguised as billing notifications with Word doc or PDF attachments disguised as invoices.
  • Attack on city of Allentown, PA highlights victim challenges: The city is still recovering two weeks following an initial infection in mid-February. Various financial and public safefy operations are shut down. 
  • $1 million in recovery costs estimated: The city has hired representatives from Microsoft for an initial $185,000 emergency response fee, and officials estimate an additional $800,000 to $900,000 in recovery costs.
  • Why Emotet is so dangerous: Once an infection is underway, Emotet is notoriously difficult to remove. It moves laterally across infected networks, utilizes scheduled tasks and registry entries to spawn copies of itself, and even hijacks victims' email accounts to blast out spam emails designed to infect new victims. 
  • Barkly blocks Emotet: Barkly has been actively blocking numerous Emotet infection attempts across our customer base. By stopping these attempts early in the attack chain, Barkly blocks Emotet from gaining a foothold, preventing any damage with no recovery necessary.
  • Additional steps you can take now: Emotet typically arrives via phishing emails that may be sent from infected victims who users know and have done business with. For that reason, it's incredibly important for them to scrutinize emails they receive, especially any with attachments labeled as invoices. Disabling macros in documents downloaded from the Internet is strongly recommended, as is disabling or restricting PowerShell on user machines.
  • empty
  • empty

Watch Barkly vs. Emotet in action:
See the video

The city of Allentown, PA is still grappling with a malware outbreak that infected its systems during in mid-February. City officials have confirmed the malware they're dealing with is Emotet, a dangerous credential-stealing trojan that spreads quickly and is notoriously difficult to remove.

The malware has reportedly infected many of the city's most critical systems and is putting others at risk, including the Allentown's surveillance camera network consisting of 185 cameras installed at locations throughout the city. 

The attack has forced the closure of several public safety operations and has also put a freeze on some of the city's financial transactions. According to Allentown officials, the finance department is unable to complete any external banking transactions and the police department doesn't have access to certain law enforcement databases.

Cost of mitigation estimated at $1 million

Extensive work is underway to contain the malware, but as we've seen with other Emotet infections, removing it completely is proving challenging. The city has hired a team from Microsoft for an initial $185,000 emergency response fee, and it is estimating mitigation and recovery efforts will cost an additional $800,000 to $900,000 before systems are completely cleaned and restored. 

Why Emotet is so difficult to remove

Like many other trojans, Emotet goes out of its way to make removal attempts more difficult. When it lands on a victim machine it immediately creates scheduled tasks and registry key entries that run checks to confirm whether it's still present on the system. If not, scripts hidden in the registry will download new copies of the malware, effectively respawning it on machines IT staff assumed they had cleaned.

Registry keys, scheduled tasks, and files associated with Emotet are also all named randomly, raising the difficulty level for detection. Each infected machine will have artifacts with different names.  

To make matters worse, Emotet also exhibits extremely aggressive lateral movement techniques. One way it attempts to spread is by brute-forcing connections to network shares and other machines on the network. If successful, it creates a remote service (often named after legitimate system tools) and uses that service to write Emotet to the remote computer and execute it. 

For more information on how Emotet works, including an attack diagram, see our previous blog post or this technical write-up from McAfee.

Turning victims into spammers

Unfortunately, Emotet doesn't stop there. In addition, it hijacks victim Outlook accounts and uses them to send out new phishing emails to addresses it finds in the victim's inbox and sent folders. 

This is an especially diabolical touch, as it effectively gives the attackers a fresh new network of potential victims to infect, and a platform for sending them messages they're much more likely to open (because the emails are coming from people the targets know and trust).

It also puts the pressure on infected organizations to take their email offline before they find themselves suddenly sending out a barrage of malware-laden phishing emails. Having to explain to contacts and clients why it looks like you just tried to infect them with malware is an unenviable position to be in, and it's easy to see how business relationships can be damaged. 

It's unknown whether the infection at Allentown resulted in any additional infections, but city officials did warn city residents to avoid opening emails and email attachments from city staff. 

How to protect your organization from Emotet  

The recent spike in Emotet infections has been primarily fueled by spam email campaigns featuring Word document or PDF attachments disguised as invoices. 

Subject lines and document names differ campaign to campaign, but they are generally some variation of "Invoice Due," "Past Due Invoices," "New Order," "Important Please Read," etc.

Below is an email example found by My Online Security that uses a PDF attachment:

Emotet-PDF-spam.jpg

Source: My Online Security

Here is an example of the Word document downloaded in a different version of the attack: 

Emotet-Word-Doc.png


UPDATE 3/1/18:
Researcher Brad Duncan has spotted another Emotet campaign using emails designed to look like emails from Bank of America with the subject line "Bill Pay Alert."

Emotet-Bank-of-America-phishing-email.jpg Source: Malware-Traffic-Analysis


Phishing emails disguised as fake invoices like this are nothing new, but when they look like they're coming from a vendor your company actually does business with, they can be convincing.

Sharing this alert with end users so they can be especially wary of this threat is a good place to start, but organizations should also take the following steps to ensure they're prepared for any mistakes or unfortunate clicks that do happen.

  • Beware macros: If possible, disable macros in Office documents downloaded from the Internet by default across your organization. If that's not feasible, explain to users that when a document they downloaded from an email asks them to enable macros or enable content, that's a major red flag.

  • Disable or restrict PowerShell: When PowerShell isn't necessary on a device, disable it. When it is necessary, consider limiting it by using Constrained Language Mode.  

  • Replace your legacy antivirus with stronger, smarter endpoint protection: Allentown is yet another case where traditional antivirus wasn't able to prevent an infection from happening. To avoid a similar $1 million dollar incident, find out how Barkly blocks attacks that AVs miss
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.