Emotet Reemerges as Prominent Cyber Threat to Healthcare

Emotet has disappeared and reappeared multiple times throughout the years, but HHS warned of its return as a cyber threat to healthcare in its latest brief.

Emotet continues to be a prominent cyber threat to healthcare in 2022, HHS’ Health Sector Cybersecurity Coordination Council (HC3) explained in its most recent brief. Emotet is an advanced banking trojan frequently used in healthcare cyberattacks.

Emotet has been operational since at least 2014 and is believed to be based out of Ukraine. HC3 described it as “A significant part of the cybercriminal ecosystem that maintains many working relationships with other major cybercriminal gangs.”

The threat actors backing Emotet are constantly adapting their capabilities, making it difficult to stop them. In 2019, Emotet became one of the most prominent malware variants. The group was responsible for large phishing campaigns and cyberattacks against high-profile targets, including the city of Frankfurt, Germany and the city of Allentown, Pennsylvania.

From February to July 2020, Emotet appeared to be completely offline. But in July, the threat actors reemerged with new COVID-19-themed phishing attacks against US-based targets. By August 2020 Hornetsecurity observed a 1,000 percent increase in Emotet loader downloads.

Things were trending in the right direction in January 2021, when an international law enforcement coalition compromised the Emotet botnet and later wiped the botnet from victim systems. But by November, the group was active again, and soon executed a campaign using Cobalt Strike.

In an April 2022 report, Proofpoint researchers found that TA542, the group associated with Emotet, had targeted thousands of customers in varying geographic regions.

“However, the new activity observed by Proofpoint is a departure from their typical behaviors and indicates the group is testing new attack techniques on a small scale before adopting them for larger volume campaigns,” Proofpoint suggested.

“Alternatively, these new TTPs may indicate that TA542 may now be engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns.”

HC3 noted that almost 80 percent of the malware affecting computer systems within healthcare are trojans, and Emotet is the most common of them. Behind manufacturing, education, and government, healthcare is one of Emotet’s most frequent targets.

HC3 urged organizations to consult government resources and employ defensive measures to protect themselves from Emotet threat actors.

Next Steps

Dig Deeper on Cybersecurity strategies