What is Emotet? How can I protect myself against it?

Security to protect against the World’s most dangerous malware, Emotet


Don’t take any risks: Protect yourself from Emotet now with
Hornetsecurity’s Advanced Threat Protection.

The experts from Hornetsecurity Security Lab observe the return of Emotet after a longer break.

The name Emotet repeatedly appears in the news in connection with extremely serious hacker attacks on companies, administrations, hospitals and universities. What makes Emotet so threatening? How you can protect yourself against it? Hornetsecurity will give you their expert explanation below.

Häufigste Malware Angriffe 2019

What is Emotet?

What is Emotet? Is Emotet a computer-virus? No. Emotet first appeared as a banking Trojan in 2014. The attack was aimed at intercepting online access data of German and Austrian bank customers. Meanwhile, Emotet is able to reload and execute a variety of other modules with other malicious functions. Emotet malware strikes primarily via spam emails and effects private users as well as companies, hospitals, government institutions and critical infrastructures.

It adapts and automates methods of highly professional Advanced Persistent Threat attacks. Cyber criminals proceed very purposefully and with great effort in order to remain capable of acting in the infected system for as long as possible. So, Emotet is not easy to identify and intercept.

One aspect makes Emotet particularly dangerous: Since the end of 2018, the malware has been able to read contact relationships and email content from the mailboxes of infected systems using so-called Outlook harvesting in order to launch further attacks on this basis. The spread is thus extremely rapid. Other recipients will then receive equally authentic-looking emails from people with whom they were recently in contact. Malicious file attachments or URLs contained in the message are opened carelessly. In addition to this spam module, Emotet can also load a worm module, which allows it to spread independently in the company network. This allows it to spread to other computers without requiring users to click and activate an attachment. In this context, Emotet also undertakes brute force attacks with the aim of hacking passwords. This can have serious consequences. Once the computer is infected, Emotet downloads additional malware via C&C servers, depending on the target. There is a risk of data theft, loss of control over systems, failure of the entire IT infrastructure and restrictions on critical business processes. In extreme cases, an entire company‘s networks must be rebuilt after infection. The damages often amount to millions in losses.

Master of disguise: Why is Emotet so difficult to fight?

Emotet trojans are not easy to identify and intercept, because they deceive traditional antivirus products: As a polymorphic virus, the code changes slightly with each new retrieval to avoid detection by signature-based virus scanners. In addition, the virus detects when it is running in a virtual machine. As soon as a sandbox environment is registered, the program falls into a kind-of stand-by mode and does not perform any malicious actions during that moment.

Emotet, TrickBot and the ransomware Ryuk

As mentioned earlier, Emotet loads additional malware after a successful infection. EA particularly dangerous alliance is created when used in conjunction with TrickBot and Ryuk: disguised in a Word document, Emotet penetrates and spies on a corporate network when the file is executed. As a “door opener”, it reloads the banking Trojan TrickBot, which among other things copies account access data. It passes this information on to the ransomware Ryuk, which is the last to be loaded. Ryuk now encrypts all files in the system that TrickBot and Emotet have previously classified as sensitive or important.

How to protect yourself from Emotet?

To effectively protect yourself from Emotet, you need to focus on the main entrance point of the malware: email communication. Hornetsecurity Advanced Threat Protection easily detects Emotet and Ryuk in emails and quarantines both malware programs. The first instance of analysis identifies the Emotet Trojan. The subsequent Trojans Ryuk and TrickBot can be unmasked using the dynamic behavior analysis in the ATP sandbox. Emails containing the perfidious malware are not delivered to the recipients.

In addition, basic, security-relevant behavior must be observed:

  • Since Emotet often hides in Microsoft Office files and needs macros to install malware, it makes sense not to allow them. They are also not needed in private and most business areas. However, if you cannot do without them, it is possible to allow only signed macros.
  • Deployed security updates must be installed immediately for operating systems, anti-virus programs, web browsers, email clients and office programs.
  • Regular data backups are recommended.
  • Vigilance is paramount: Even with supposedly known senders, one should be careful with file attachments of emails, especially with Office documents and contained links. In case of doubt, it is advisable to make direct contact with the sender of a suspicious email and check the credibility of the content.
  • Accesses to the company’s own network should be continuously monitored. In this way it can be determined in a timely manner whether an Emotet-infection has occurred.


Substantial loss of revenue



Ransomware is one of the most popular cyber-criminal methods to make big profits but also to cause immense (financial) damage to the victims. If the blackmailing software gets into a company’s system, all sensitive and confidential files are encrypted and only released again against a ransom in the form of Bitcoins. However, it is not always clear whether the files are actually released after a payment has been made.

Desired targets for the Hacker are primarily large companies and government institutions as well as critical infrastructures. In the worst case, insolvency is threatened after an attack. However, considerable losses in turnover are also among the possible consequences.

More about Emotet


Summarized Information Report

The Infopaper summarizes the recommendations of the Hornetsecurity experts. Download now and find out what Emotet is, what exactly makes the malware Emotet so dangerous, and how users can protect themselves.

More about Emotet

More information about Emotet you’ll find in our newest blogpost “Awaiting the inevitable return of emotet”. As reliable protection against Emotet, Hornetsecurity recommends Advanced Threat Protection.

More information in our blog

The webshells powering Emotet

The webshells powering Emotet

The Hornetsecurity Security Lab presents details on the webshells behind the Emotet distribution operation, including insights into payload downloads and how from 2020-07-22 to 2020-07-24 Emotet payloads on Emotet download URLs were replaced with HTML code displaying GIFs. The analysis shows that the number of downloads of the malicious content behind the Emotet download URLs is significant and has been observed peaking at 50,000 downloads per hour. Highlighting that Emotet emails do get clicked. The analysis further shows that compromised websites are not just compromised once but multiple times by different actors and cleanup efforts by the website administrators are often insufficient leading to re-enabling of the malicious Emotet downloads.
Emotet is back

Emotet is back

On 2020-07-17 the Hornetsecurity Security Lab detected the return of Emotet malspam. The reemerging Emotet malspam was already blocked by existing detection rules. The current Emotet malspam wave again uses malicious macro documents spread either via attachments or via malicious download links. As usual, the VBA macros in the document download the Emotet loader that the Hornetsecurity Security Lab has previously analyzed.

Hornet News – exclusive IT Security news – once a month

  • This field is for validation purposes and should be left unchanged.

What's in store for you?

By registering for our Hornet News you will receive information on current topics in the field of Cloud Security. Take the opportunity to get exclusive information about email security. Detailed analyses, recommendations for action as well as service information specifically geared to companies are waiting for you. Register now free of charge and without obligation and benefit from our expert knowledge.


Access to exclusive content

Get free access to exclusive content such as case studies, white papers, webinars and other interesting information as a subscriber.


News and updates

Discover the latest trends in cloud security in the form of technical articles.


Information about our services

We would be pleased to inform you about new developments in our services and show you in detail how you as a company can benefit from our services.

Visit our IT Knowledge base

Did you like our contribution on the topic Emotet ? Click here for an overview of our knowledge base. There you can learn more about topics such as DDoS attacks, Cryptolocker Virus, Spear-Phishing, Brute Force Attacks, GoBD, Cyber Kill Chain and Ransomware Kill Chain. Learn more now.

Happy Hornetsecurity Customers Across Multiple Industries

Thousands of SMBs & Enterprise Organizations Use Hornetsecurity’s Suite of Solutions
Hornetsecurity References

These customers rely on the Cloud Security Services of Hornetsecurity