Emotet Banking Trojan - How a Single Mouse Click Cost a North Carolina School District $314,000

Posted by Geraldine Hunt on Wed, Feb 7th, 2018

Sometimes it can seem that life is not fair. The Rockingham School District in North Carolina had been utilizing a very reputable and highly popular computer antivirus software for years to protect their enterprise. School leadership thought that this would protect their district from malware attacks.  In fact, it had served them well, combatting and eliminating ransomware infections and protecting their data. So while one of the biggest malware menaces of the last three years was unable to infect their district and disrupt the learning process for their schools, the Emotet banking Trojan did, and did it in a big way last month. A user clicked on an infected EXE file in a phishing email with the headline, “Incorrect invoice’’. That single click has totally disrupted operations for a full month and cost the district $314,000.

How Was Emotet Able to Infect the School System?

Emotet is one nasty threat. It is a part Trojan, part network worm that steals banking information, contact address books and even performs DDOS attack.  It first made its appearance back in 2014.  The worm targets weak admin passwords to help spread across a victim's network to drop malicious payloads onto the target computers. Unfortunately, Emotet is a new breed of malware that is making its appearance throughout the world.  It is smart, so smart that it is capable of getting past 75% of all antivirus software on the market today.

Most malware is straightforward to combat, especially strains that utilize email for deployment.  Malicious email attachments wait for unsuspecting users to click on them.  Because their code is stationary and unchanging, antivirus software manufacturers can easily identify code signatures and create code to eliminate these strains.  Unfortunately, Emotet is a polymorphic banking strain that is capable of altering itself, changing its appearance, and as a result, go undetected and unabated.

A Nightmare Unfolds

Technology staff at the Rockingham School District began to realize something was amiss when Google began disabling some email accounts that were producing spam.  This is one of the primary methods that Emotet uses to spread itself.  Once infected, it examines the email contacts within an infected machine and begins the spamming process. Soon, phone calls began coming in that users could not access the Internet.  This was due to the DDOS attacks that infected computers lodged onto the internal network.  For all practical purposes, the school system’s network infrastructure was shut down.

Technology staff began using traditional means to clean the infected machines.  When this did not work, they tried re-imaging the computers, only to have them become re-infected in a matter of minutes.  With little recourse, the calamity was brought to the attention of the school board, who voted to bring in an outside virus mitigation service to rid the twenty servers, which had to be rebuilt from scratch, along with 3,000 client machines of the infection.  It took 10 engineers and over 1,200 on-site hours to complete the job.  The cost of this endeavour was $314,000.  The FBI was also notified of the incident and brought in.

Could Emotet have Been Stopped?

The Rockingham School Superintendent referred to the Emotet outbreak as a disease, one that was seemingly impossible to quarantine.  School officials, as well as the public in the community, are asking themselves how this could have been prevented.  Like many outbreaks, little things could have been done.Although we do not know what type of email security the school district utilized, email is the primary deployment method used by cybercriminals. Not only is email security paramount today for a properly thought out multi-layered security strategy, but user training is imperative as well.  Cautious scepticism needs to be the rule amongst the workforce. 

Emotet is deployed through a word attachment that serves as a macro-based downloader.  Macros are a series of operations that can automate routine processes.  Unfortunately, they are also utilized by cybercriminals.  If macros are enabled, an encased code downloads a windows executable to the AppData\Local\Temp directory with a file name of 5 random digits and an .exe file extension.  With the exception of a few power users, you should go into Word settings and either select “Disable all macros with notification” or at the least, “Disable all macros except digitally signed macros”

The virus is designed to target machines that have not been properly updated. A strong diligence to ensuring that all machines are updated and fully patched is imperative. A portal based management system used by managed service providers can prove highly effective in these situations.

The cyber attack that rocked the Rockingham school district shows how cyber attacks continue to modulate and evolve.  It is also an example of how dependency on a single type of cybersecurity is no longer enough to protect your organization. Continuous security audits, layered network security, and best practice education for all employees are essential. Malware isn’t fair, it simply exists, and you have to deal with it.