The joint operation that brought EMOTET to its knees deserves congratulations. It is, or was, one of the single largest cyber threats out there. Its real beauty, or dastardly wickedness, was that it was not a simple ransomware attack. It was a door opener, and once a door was opened, the operators sold that access point to criminal gangs to wanted to extort the victim with Trojans, ransomware or other evil malware.
The problem is that this victory over EMOTET is just one battle in a war that will last as long as the digital world exists.
Weekly, we see press releases and news stories about ever more sophisticated attacks. Just last week, Sophos Labs reported a truly evil attack, using a ‘ghost’ account.
A ransomware called Nefilim has emerged as a potent new threat and highlights one key and dangerous aspect of the new breed of hacker.
Like EMOTET, Nefilim ‘opens a door.’ The difference is that the perpetrators then wait patiently to see if they are noticed. Then they launch the actual ransomware attack.
The targets, on two occasions, have been ‘ghost’ accounts. Accounts with a high level of access had been left active, as they were part of an ongoing process.
They waited for weeks, while quietly stealing many gigabytes of data. Then announced their presence.
EMOTET may have been dealt a serious, possibly fatal, blow but the armies of cyber attackers grow ever more sophisticated, ever better funded (sometimes at State level) and ever more strategic.
The next phase in this on-going cyber war will only get worse. Criminal gangs are already using AI to scan better and plan a campaign. And stealth is now their watchword. AI attacks enable the bad guys to blend into the target’s background activity, take their time to infiltrate the networks, and do their dirty work without being noticed.
The only answer is to fight AI with AI but this still comes down to the skill, knowledge and audacity of those who control it.
The defeat of EMOTET is a victory and one brought about through collaboration. We must remember that it is only through collaboration, information sharing and vigilance (of all user accounts) that we have any chance of staying level with cybercriminals.