The Rockingham school district in North Carolina identified that Emotet malware had been downloaded to its network in late November. The cost of tackling the infection was a massive $314,000.
The malware was sent using spam emails, which arrived in multiple users’ inboxes. The attack incorporate a commonly used ploy by cybercriminals to get users to download malware.
The emails seemed to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attached file. The emails seem genuine and were similar to many other legitimate emails received everyday.
The emails requested that the recipient open and review the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.
Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.
Emotet malware is a network worm that can spread across a network. Infection on one machine will see the virus sent to other vulnerable devices. The worm installs a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking information.
Emotet is a very advanced malware variant that is hard to detect and erase. The Rockingham school district discovered just how troublesome Emotet malware infections can be when efforts were made to remove the worm. The school district was able to successfully clean some infected machines by re-imaging the devices; however, the malware simply re-infected those devices.
Resolving the attack required assistance from security specialists, but even with expert help the recovery process is expected to take up to four weeks. 10 ProLogic ITS engineers will spend around 1,200 on site re-imaging machines. 12 servers and possibly up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be as high as $314,000.
Attacks such as this are far from rare. Cybercriminals target a wide range of flaws to install malware on business computers and servers. In this case the attack used gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads using the Internet.
To safeguard against Emotet malware and other viruses and worms layered defenses is necessary. An advanced spam filtering solution can ensure malicious emails are not broadcasted, endpoint detection systems can identify atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of security and should therefore be trained to identify malicious emails and websites.
Only a combination of these and other cybersecurity defenses can keep companied secure. Luckily, with layered defenses, it is possible to avoid expensive malware and phishing attacks such as the one suffered by the Rockingham school district.
