In November 2018 the Rockingham school district in North Carolina suffered an Emotet malware infection that cost a massive $314,000 to resolve.

The malware was first noticed being delivered using spam emails, which were sent to multiple users’ inboxes. The attack included an often-used ploy by hackers to get users to install malware.

The emails appeared to have been broadcast by the anti-virus supplier used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice sent as an attachment. The emails were believable and looked like many other legitimate emails received on a daily basis.

The emails requested that the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s device.

Not long after those emails were received and opened, staff started to experience problems. Internet access seemed to have been disabled for some users. Reports from Google saying email accounts had been disabled due to spamming started to be received. The school district looked into the issue and discovered several devices and servers had been infected with malware.

Emotet malware is a network worm that can share itself across a network. Infection on one machine will result in the virus being sent to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to steal victims’ credentials including online banking details.

Emotet is a very advanced malware variant that is difficult to spot and hard to address. The Rockingham school district discovered just how troublesome Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those devices.

Addressing the attack required assistance from security experts. 10 ProLogic ITS engineers spent approximately around 1,200 on site reimaging machines. 12 servers and around 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup ran to $314,000.

Attacks such as this are far from not usual. Cybercriminals focus on a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of staff members. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses are necessary. An advanced spam filtering solution can ensure malicious emails are not sent, endpoint detection systems can detect unusual user behavior, antivirus solutions can potentially discover and stop infections, while web filters can block web-based attacks and drive-by installations. End users are the last line of defense and should therefore be shown how to recognize malicious emails and websites.

Only a combination of these and other cybersecurity measures can keep groups safe.