By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.

Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems   attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.

Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let’s take a look at what Emotet has been up to in 2020 and the effect it’s had on the internet as a whole.