Security response team looks to stop the spread of Emotet

Swiss government agencies have warned over “severe” ransomware attacks targeting small businesses.

Internet-facing Remote Desktop Protocol (RDP) and Citrix servers with weak login credentials are under attack, the Swiss Computer Emergency Response Team (CERT) warns, adding that booby-trapped websites and email spam have also become a vector in ongoing assaults.

If intended targets either click on links or open infected attachments from an unpatched PC then they are likely to find themselves infected by a first-stage trojan, typically Emotet.

Emotet establishes a beachhead onto compromised network, which is subsequently abused to install ransomware payloads, such as the LockerGoga ransomware that infamously shut down operations at aluminum manufacturer Norsk Hydro in March, and the Trickbot worm.

Other ransomware payloads served up using the same techniques include Ryuk and SamSam, among others.

“We have seen various cases in Switzerland where organizations have been badly hit by this threat and we are aware of even larger damage in Germany,” Swiss CERT said.

The Swiss government CERT offers a detailed run-down of the modus operandi of the attackers, along with advice to SMEs about potential countermeasures, including the use of network segmentation to limit the spread of any infections, blocking suspicious domains, and mandating authentication for web app access.

Separately, the Swiss Reporting and Analysis Centre for Information Assurance, MELANI, offers advice to businesses on protecting against ransomware attacks.

Ransomware loader

The Emotet botnet is active worldwide with Mexico, Argentina, and China the top three countries on the frontline of attacks, according to one of several individual security researchers and firms tracking the threat.

Several researchers are using spam traps and other techniques to track the ransomware loader. Security firm Blueliv warns that the US, Germany, Mexico, UK, and Argentina are currently the top five countries at the receiving end of Emotet malware-laced spam.

Earlier this month security firm Sophos separately warned that Emotet was being abused to sling what it described as “novel” strains of ransomware.

Circumstantial evidence suggests that Switzerland is far from alone in facing the threat

The warning from Swiss CERT can therefore be taken as a sign that it is more aware of the threat or quite agile in its security response, according to Peter Houppermans, a security and privacy specialist who lived and worked in Switzerland for many years.

As well as being targeted in their own right, SMEs may find themselves subject to an attack as criminals look to pivot to their business partners and suppliers, or as part of a supply chain attack against bigger firms, Houppermans told The Daily Swig.

“SMEs frequently do not have the resources to draw on specialized resources, and antivirus alone is not enough,” Houppermans explained.

“Security is a process, so the challenge is how to assist SMEs. The ‘Big Boys’ are well catered for, but SMEs need more assistance.”

RELATED Emotet trojan implicated in Wolverine Solutions ransomware attack