What is Emotet? How can I protect myself against it?

Security to protect against the World’s most dangerous malware, Emotet


Don’t take any risks: Protect yourself from Emotet now with
Hornetsecurity’s Advanced Threat Protection.

The experts from Hornetsecurity Security Lab observe the return of Emotet after a longer break.

The name Emotet repeatedly appears in the news in connection with extremely serious hacker attacks on companies, administrations, hospitals and universities. What makes Emotet so threatening? How you can protect yourself against it? Hornetsecurity will give you their expert explanation below.

Häufigste Malware Angriffe 2019

What is Emotet?

What is Emotet? Is Emotet a computer-virus? No. Emotet first appeared as a banking Trojan in 2014. The attack was aimed at intercepting online access data of German and Austrian bank customers. Meanwhile, Emotet is able to reload and execute a variety of other modules with other malicious functions. Emotet malware strikes primarily via spam emails and effects private users as well as companies, hospitals, government institutions and critical infrastructures.

It adapts and automates methods of highly professional Advanced Persistent Threat attacks. Cyber criminals proceed very purposefully and with great effort in order to remain capable of acting in the infected system for as long as possible. So, Emotet is not easy to identify and intercept.

One aspect makes Emotet particularly dangerous: Since the end of 2018, the malware has been able to read contact relationships and email content from the mailboxes of infected systems using so-called Outlook harvesting in order to launch further attacks on this basis. The spread is thus extremely rapid. Other recipients will then receive equally authentic-looking emails from people with whom they were recently in contact. Malicious file attachments or URLs contained in the message are opened carelessly. In addition to this spam module, Emotet can also load a worm module, which allows it to spread independently in the company network. This allows it to spread to other computers without requiring users to click and activate an attachment. In this context, Emotet also undertakes brute force attacks with the aim of hacking passwords. This can have serious consequences. Once the computer is infected, Emotet downloads additional malware via C&C servers, depending on the target. There is a risk of data theft, loss of control over systems, failure of the entire IT infrastructure and restrictions on critical business processes. In extreme cases, an entire company‘s networks must be rebuilt after infection. The damages often amount to millions in losses.

Master of disguise: Why is Emotet so difficult to fight?

Emotet trojans are not easy to identify and intercept, because they deceive traditional antivirus products: As a polymorphic virus, the code changes slightly with each new retrieval to avoid detection by signature-based virus scanners. In addition, the virus detects when it is running in a virtual machine. As soon as a sandbox environment is registered, the program falls into a kind-of stand-by mode and does not perform any malicious actions during that moment.

Emotet, TrickBot and the ransomware Ryuk

As mentioned earlier, Emotet loads additional malware after a successful infection. EA particularly dangerous alliance is created when used in conjunction with TrickBot and Ryuk: disguised in a Word document, Emotet penetrates and spies on a corporate network when the file is executed. As a “door opener”, it reloads the banking Trojan TrickBot, which among other things copies account access data. It passes this information on to the ransomware Ryuk, which is the last to be loaded. Ryuk now encrypts all files in the system that TrickBot and Emotet have previously classified as sensitive or important.

How to protect yourself from Emotet?

To effectively protect yourself from Emotet, you need to focus on the main entrance point of the malware: email communication. Hornetsecurity Advanced Threat Protection easily detects Emotet and Ryuk in emails and quarantines both malware programs. The first instance of analysis identifies the Emotet Trojan. The subsequent Trojans Ryuk and TrickBot can be unmasked using the dynamic behavior analysis in the ATP sandbox. Emails containing the perfidious malware are not delivered to the recipients.

In addition, basic, security-relevant behavior must be observed:

  • Since Emotet often hides in Microsoft Office files and needs macros to install malware, it makes sense not to allow them. They are also not needed in private and most business areas. However, if you cannot do without them, it is possible to allow only signed macros.
  • Deployed security updates must be installed immediately for operating systems, anti-virus programs, web browsers, email clients and office programs.
  • Regular data backups are recommended.
  • Vigilance is paramount: Even with supposedly known senders, one should be careful with file attachments of emails, especially with Office documents and contained links. In case of doubt, it is advisable to make direct contact with the sender of a suspicious email and check the credibility of the content.
  • Accesses to the company’s own network should be continuously monitored. In this way it can be determined in a timely manner whether an Emotet-infection has occurred.


Substantial loss of revenue



Ransomware is one of the most popular cyber-criminal methods to make big profits but also to cause immense (financial) damage to the victims. If the blackmailing software gets into a company’s system, all sensitive and confidential files are encrypted and only released again against a ransom in the form of Bitcoins. However, it is not always clear whether the files are actually released after a payment has been made.

Desired targets for the Hacker are primarily large companies and government institutions as well as critical infrastructures. In the worst case, insolvency is threatened after an attack. However, considerable losses in turnover are also among the possible consequences.

More about Emotet


Summarized Information Report

The Infopaper summarizes the recommendations of the Hornetsecurity experts. Download now and find out what Emotet is, what exactly makes the malware Emotet so dangerous, and how users can protect themselves.

More about Emotet

More information about Emotet you’ll find in our newest blogpost “Awaiting the inevitable return of emotet”. As reliable protection against Emotet, Hornetsecurity recommends Advanced Threat Protection.

More information in our blog

Email Conversation Thread Hijacking

Email Conversation Thread Hijacking

You should only open email attachments and links from senders you know is an advice often given when it comes to preventing email-based malware and phishing attacks. However, in this article we outline an attack technique called email conversation thread hijacking, which uses victim’s existing email conversations and thus trust-relationships to spread to new victims. Against this attack the previous advice will not help. We explain how email conversation thread hijacking is used by attackers, and why it dramatically increases the likelihood for victims to open malicious links or malicious attachments.
Emotet Update increases Downloads

Emotet Update increases Downloads

The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads correlates with Emotet’s packer change, which causes the Emotet loader to be less detected by AV software. Our gathered data suggests that the increase in Emotet loader downloads stems from the loader being detected less and thus also the Emotet loader download URLs being blocked less by security mechanisms. Our data, however, also suggests that AV vendors are already closing the detection gap and the detection of the Emotet loader should increase again and thus the number of downloads decreasing again. This analysis is a good display of the impact of the changes to the Emotet loader’s packer.

Hornet News – exclusive IT Security news – once a month

  • This field is for validation purposes and should be left unchanged.

What's in store for you?

By registering for our Hornet News you will receive information on current topics in the field of Cloud Security. Take the opportunity to get exclusive information about email security. Detailed analyses, recommendations for action as well as service information specifically geared to companies are waiting for you. Register now free of charge and without obligation and benefit from our expert knowledge.


Access to exclusive content

Get free access to exclusive content such as case studies, white papers, webinars and other interesting information as a subscriber.


News and updates

Discover the latest trends in cloud security in the form of technical articles.


Information about our services

We would be pleased to inform you about new developments in our services and show you in detail how you as a company can benefit from our services.

Visit our IT Knowledge base

Did you like our contribution on the topic Emotet ? Click here for an overview of our knowledge base. There you can learn more about topics such as DDoS attacks, Cryptolocker Virus, Spear-Phishing, Brute Force Attacks, GoBD, Cyber Kill Chain and Ransomware Kill Chain. Learn more now.

Happy Hornetsecurity Customers Across Multiple Industries

Thousands of SMBs & Enterprise Organizations Use Hornetsecurity’s Suite of Solutions
Hornetsecurity References

These customers rely on the Cloud Security Services of Hornetsecurity