In November 2017 the Rockingham school district in North Carolina discovered Emotet malware had been installed on its network, resulting in a payment of $314,000 to resolve the infection.
The malware was sent via spam emails, which landed in multiple users’ inboxes. The attack involved a regularly used ploy by cybercriminals to get users to downlad malware.
The emails seemed to have been shared by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails appeared genuine and were similar to many other legitimate emails received on a consistent basis.
The emails requested the recipient to open and check the attached invoice; however, doing so would see malware installed on the email recipient’s computer.
Not long after those emails were received and opened, staff started to experience issues. Internet access appeared to have been disabled for some users. Reports from Google saying email accounts had been shut down due to spamming began to be received. The school district investigated and saw that several devices and servers had been infected with malware.
Emotet malware is a network worm that can spread across a network. Infection on one machine alone will see the virus transmitted to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to obtain victims’ credentials including online banking details.
Emotet is a very advanced malware variant that is difficult to identify and hard to delete. The Rockingham school district noticed just how problematic Emotet malware infections can be when efforts were made to remove the worm. The school district was able to properly clean some infected machines by reimaging the devices; however, the malware then easily re-infected those computers.
Tackling the attack required assistance from security specialists, but even with expert help the recovery steps are expected to take up to a month. 10 ProLogic ITS engineers will spend around time on site reimaging 1,200 machines. 12 servers and potentially up to 3,000 end points must be reimaged to delete the malware and stop reinfection. The estimated cost of cleanup will be $314,000.
Attacks such as this quite common. Cybercriminals attack a wide range of vulnerabilities to install malware on business computers and servers. In this instance the attack took advantage of gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.
To safeguard against Emotet malware and other viruses and worms layered defenses are needed. An advanced spam filtering solution can make sure malicious emails are not issued, endpoint detection systems can detect atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can prevent web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to spot malicious emails and websites.
Only a combination of these and other cybersecurity measure can keep organizations well safeguarded. Luckily with layered defenses, costly malware and phishing attacks such as the one experienced by the Rockingham school district can be avoided.