The zombie botnet known as Emotet has been raised again and returned to active service. Its original operator was persuaded by the Conti ransomware group that a considerable demand for the botnet existed, encouraging its reboot.

Security teams at cybersecurity intelligence firm Advanced Intelligence (AdvIntel) have stated their opinion that restarting Emotet was a consequence of the gap in the dark web market, the botnet left when law enforcement agencies vanquished its activities

The recent relaunch of the mercenary botnet follows an extended term involving a lack of effective malware loaders and a decline of decentralised ransomware gangs. This climate has allowed syndicates in organised crime to retake their former position in the power structure.

Conti ransomware tipped for dominant role

Considered among the most commonly used malware, Emotet was used as a dedicated malware loader that offered other operators first access to any systems infected that were classified as valuable.

Two names in particular, TrickBot and Qbot, were part of the botnet’s core customers and utilised the access they were granted to deploy a diverse range of ransomware, including DoppelPaymer, Ryuk, Conti, Egregor and ProLock, among many others.

AdvIntel commented on the attack vector:

“Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialization for the needs of specific customers.”

Emotet operators delivered initial access on an industrial scale, resulting in many malware groups depending on the botnet for their campaigns. Emotet-TrickBot-Ryuk was a well-known triad used in cyberattacks.

Ryuk is well-known as the predecessor of the ransomware Conti. The switch happened in 2020 when the Conti operations activity grew more virulent while incidents involving Ryuk were in decline. The threat actors involved with both ransomware types have an extensive history of attacking organisations within the education and healthcare sectors.

Why Conti convinced Emotet operators to return

Researchers at AdvIntel commented that after Emotet disappeared, top level cybercriminal groups, such as Conti and DoppelPaymer, were left stranded without an effective product delivering a superior quality of initial access.

AdvIntel explained

“This discrepancy between supply and demand makes Emotet’s resurgence important. As this botnet returns, it can majorly impact the entire security environment by matching the ransomware groups’ fundamental gap.”

The cybersecurity intelligence experts believe that a key reason contributing to numerous ransomware-as-a-service (RaaS) operators shutting down in 2021 – like Babuk, BlackMatter, DarkSide, Avaddon and REvil – is that affiliates employed low-level access brokers and sellers.

With competitors exiting the ransomware scene, more traditional outfits like Conti advanced up the cybercriminal food chain attracting the most talented malware experts who had left the disbanded RaaS organisations in droves.

Due to this current cybercriminal climate, the researchers from AdvIntel believe that the Conti group, having teamed up Emotet’s largest client TrickBot, was most likely to be in a position to request the return of Emotet. The research team is now confident that future Conti ransomware payloads will be deployed via the resurrected botnet as soon as it has returned to full strength.

Help protect your enterprise from cyber-attacks by starting a free 14-day free trial of our secure workspace service.