In November 2018 the Rockingham school district in North Carolina suffered an Emotet malware infection that cost a massive $314,000 to resolve. The malware was delivered using spam emails, which were sent to multiple users’ inboxes. The attack included an often-used ploy by hackers to get users to install malware.

The emails appeared to have been sent by the anti-virus supplier used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice attached to the email. The emails were believable and looked like many other legitimate emails received on a daily basis. The emails requested the recipient open and check the attached invoice; however, doing so resulted in Emotet being downloaded and installed.

Not long after those emails were received and opened, staff started to experience problems. Internet access seemed to have been disabled for some users and reports were received from Google saying email accounts had been disabled due to spamming. The school district looked into the issue and discovered several devices and servers had been infected with malware.

Emotet malware is a Trojan that can worm its way across a network. Infection on one machine will result in the virus being sent to other vulnerable devices. The malware can also send copies of itself via email, and injects itself into previous message threats. The malware is capable of stealing victims’ credentials including online banking details, and also acts as a downloader of other malware variants and ransomware.

Emotet is a very advanced malware variant that is difficult to spot and hard to remove. The Rockingham school district discovered just how troublesome Emotet malware infections can be when attempts were made to remove the Trojan. The school district was able to successfully clean some infected machines by reimaging the devices; however, malware remained on the network and simply re-infected those devices.

Addressing the attack required assistance from security experts. 10 ProLogic ITS engineers spent approximately 1,200 hours on site reimaging machines. 12 servers and around 3,000 end points had to be reimaged to remove the malware and stop reinfection. The cost of cleanup ran to $314,000.

Attacks such as this are far from unusual. Cybercriminals target a wide range of vulnerabilities to install malware on business computers and servers. In this case, the attack took advantage of gaps in email defenses and a lack of security awareness of staff members.

To safeguard against malware, layered defenses are necessary. An advanced spam filtering solution can ensure malicious emails are not delivered to inboxes, endpoint protection software can detect unusual user behavior indicating an attack in progress, antivirus solutions can potentially discover infections, while web filters can block web-based attacks and drive-by malware downloads. End users are the last line of defense and should be shown how to recognize malicious emails and websites. Using a combination of these measures will help to prevent attacks such as this.