The new Windows malware Emotet spreads via fake emails that look like they come from friends, business partners or your own boss. Also, the mail content is often written exactly as the real sender would do. Key people in large companies have been attacked for some time with emails manually tailored to them and tricked into activating malware. This approach is called spear phishing. What’s new about the malware released in 2019 is that even small businesses areattacked fully automatically with deceptively genuine emails .
Current malware can gain administrator rights via security holes and then systematically spread throughout the network before any visible damage is noticed.
The criminals behind these attacks know how critical the loss of data can be, even for small companies, and demand corresponding ransoms of up to 5 figures.
What happens during an attack?
You receive an email from someone you know with a text that looks completely normal and realistic. Attached to the mail is a document, usually Word or Excel. When opening the document, the system asks whether the macros may be activated. If you say yes here and enable the macros, your system is compromised.
Macros are programs that can simplify routine tasks in Word and Excel. This technology is exploited by the malware. However, Emotet authors use these commands to reload and install malware from the Internet.
By default, macros are disabled in Microsoft Office. However, they can be switched on quite easily with a mouse click on “Activate content”. And, of course, malware authors do their utmost to trick the user into taking this step.
If you receive a document by e-mail, you should NEVER activate the macros.
If a file from a mail asks for macros to be activated, it is most likely malware.
It only takes one employee, for example a temp, not paying attention once and your network is infected.
What can you do to protect yourself?
- Disable macros:
In Office 2016 (e.g. Word), under File/Options/TrustCenter/Settings for Trust Center/Macro Settings you can disable the variant “Disable all macros without notification” if you do not work with macros. - Install all Windows updates. This closes critical security gaps.
- Restrict rights. Not every employee needs administrator rights. Remove administrator rights from all employees who do not need them. This also limits the damage that malware can do to the system and the network.
Make sure that employees can only write to the data they really need. In this way, you limit the possible damage. - Backup. Make regular backups so that your data is not lost if a malware attack is successful. Check if your backups are really readable.
- Protection software. Use an up-to-date virus scanner. It is not enough to just have a virus scanner. You also need to update this regularly. Protection programs that specifically prevent ransomware, such as Sophos Endpoint Protection, are particularly recommended.
- Integrated network protection. If this is state of the art, it can detect and stop known and unknown computer malware. Computer and firewall communicate and detect suspicious activity together. Infected computers are thus automatically isolated, cleaned and put back into operation.And the entire solution is affordable even for small businesses.
Are you interested in this security solution? Then please fill out this form and we will get back to you with all the necessary information!
Contact us for more information
Let’s solve your data protection problems together
Use our contact form or call us at +43 2262 / 67 20 40
What to do if you are affected?
- Immediately disconnect the affected computers from the network and do not connect them to the company network until they are clean again.
- Check if you have a backup of the data. If there is no backup, you can respond to ransomware offers. Keep in mind, however, that a security solution at the current level would likely have cost 1/10th or less of the ransom. Moreover, you have no guarantee that the data will be decrypted.
- If you have a backup, wipe the entire hard drive and reinstall the affected machines.
- You can restore your data with the help of a backup.
- Change all passwords used on the system, as they can be read by Emotet.
- In any case, report the incident to the data protection authority and file a complaint. Help, tips, etc. can be found here: Kuratorium Sicheres Österreich and Bundeskriminalamt.
- Install protection software at the state of the art. The cost is a few euros per computer per month.
Are you interested in this security solution? Then please fill out this form and we will get back to you with all the necessary information!
Contact us for more information
Let’s solve your data protection problems together
Use our contact form or call us at +43 2262 / 67 20 40
For more information, see the magazine c’t 1/2019, pp. 70-76.