Malware, Threat Management

HHS alerts to ongoing Emotet threat to the healthcare sector

Workers prepare a presentation of advanced email at the CeBIT 2012 technology trade fair on March 5, 2012, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Trojans are the most common malware impacting computer systems in the healthcare sector, the most common of which is Emotet, according to a Department of Health and Human Services Cybersecurity Coordination Center alert containing mitigation strategies for the sector.

Although a global law enforcement effort took down the Emotet botnet in January 2021 using a “timed wiper,” it reemerged less than a year later, using improved commands and dropper capabilities. The Emotet actors have also started to use Cobalt Strike, as its actors work to rebuild the botnet.

The malware first emerged as a banking trojan in 2014 and is one of the longest lasting cybercrime operations. Emotet became one of the most dominant malware variants in 2019.

In the past, Emotet has claimed a number of healthcare victims, including the University of California San Francisco, which paid the attackers $1.14 million in June 2020 to return the data they stole from its school of medicine.

In December 2020, prior to the takedown, one of the last Emotet campaigns was observed sending more than 100,000 emails in a day and leveraged new evasion tactics. The actors behind the threat notoriously used tactics that prey on fears surrounding the pandemic.

Emotet is well known for its evasive tactics, with its actors constantly modifying the variant to ensure the most effective payload. When active, it’s consistently one of the largest senders of malicious emails. For the phishing campaigns, HC3 warns “all that’s needed to begin an Emotet attack” is for a user to click “enable content” within a malicious document to enable the macros.

Its previous botnet campaign and infrastructure was used as a primary gateway on a global scale, with Emotet actors selling access to the victims’ networks on the darkweb to other cybercriminals. The malware is primarily sent using a fully automated phishing process with malicious Word documents attached to the emails.

The latest Emotet research from Proofpoint shows the actors appear to be testing new tactics against Microsoft OneDrive URLs. The researchers observed a low volume of malicious emails distributing Emotet via OneDrive URLs. The tactics were a departure from typical Emotet behavior and suggests the group is testing new attack techniques.

Currently, reports and HC3 researchers have found Emotet is the most dominant trojan, especially against healthcare targets. The ongoing campaigns have primarily targeted Japan, but North America remains a frequent target.

Given the potential impact to the sector, HC3 is urging provider organizations to review the report and attack specifics to bolster defenses. The analysis contains infection patterns, downloader formats, payloads, and operational insights, as well as links to government resources to effective security strategies against the ongoing threat.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.