Emotet is now spreading Quantum and BlackCat ransomware

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


The infamous Emotet malware is now being used by ransomware-as-a-service (RaaS) groups, such as Quantum and BlackCat after the Conti ransomware gang shut down their operation in May, according to a new report from cybersecurity firm AdvIntel.

Emotet is a trojan commonly acting as a downloader or dropper of other malware. It is primarily spread via phishing email attachments and links that, once clicked, launch the payload. First spotted in 2014, Emotet evolved in the sophisticated malware over the time that has been used by major cybercriminal groups as an initial attack vector.

“From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” the researchers said.

“The observed botnet taxonomy attacker flow for Emotet is Emotet -> Cobalt Strike -> Ransomware Operation. What this means is that currently, the way that threat actors primarily utilize Emotet is as a dropper, or downloader for a Cobalt Strike beacon, which deploys a payload allowing threat actors to take over networks and execute ransomware operations.”

AdvIntel said it detected over 1,267,000 Emotet infections across the world since the start of 2022, with significant activity peaks observed in February and March coinciding with Russia's invasion of Ukraine and between June/July, attributed to Emotet’s usage alongside post-Conti groups. The highest number of infections were observed in the United States (35.7%), followed by Finland (10.3%), Brazil (9.9%), The Netherlands (9.4%), and France (7.7%).

Adblock test (Why?)