WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Covered in our previous article on Emotet’s Disruption, Emotet has been seized by law enforcement. Authorities that managed to seize the notorious malware’s infrastructure have scheduled a mass uninstallation due to occur on 25 April 2021. Cybercriminal law enforcement have been busy cracking down on the cybercriminal landscape in 2021. And although Emotet’s seizure and uninstallation signifies a serious and credible victory for law enforcement and international cooperation, the rather sizable gap in the cybercriminal landscape left by Emotet begs the question; who will claim this space?
In late January 2021, Europol announced that the “Emotet” malware and botnet had been disrupted as a result of international collaborative action from eight law enforcement authorities. By successfully disrupting and seizing its infrastructure, law enforcement prevented the operators from conducting any further activity. In addition to assisting in breaking Emotet, Ukrainian police arrested two individuals believed to be responsible for the malware and botnet’s infrastructure. This wasn’t the only key revelation; on 27 Jan 2021, the same day as Europol’s press release, a security researcher operating under the alias “milkream” discovered that Emotet was, in fact, installing a new module onto infected devices. However, this module was not designed by an incredibly successful cybercriminal entity – though other security researchers stated that the German Bundeskriminalamt (BKA) federal police agency was responsible.
While the uninstall date appeared to be initially set for 25 March 2021, Malwarebytes confirmed that Emotet’s special day was set for 25 April 2021. Meaning that on this day, Emotet infections will be uninstalled from their victims’ machines.
Emotet is (was?) one of the most prolific malware variants to have ever existed. Largely delivered via spam emails and phishing, the Trojan has developed over the years. Emotet was first observed in 2014 as a banking Trojan designed to infiltrate their targets and steal sensitive information. It has since evolved to lay dormant upon attempts at analysis, uses command and control (C2) servers to receive updates, and was capable of installing secondary payloads of malware such as the “Ryuk” ransomware and “TrickBot” banking trojan.
The seizure and takedown of Emotet’s infrastructure is a significant victory for law enforcement, cyber security practitioners, and victims alike. Emotet has plagued the landscape since 2014 and caused great financial costs to its targets. According to a 2018 US Department of Homeland Security alert, Emotet has cost State, Local, Tribal and Territorial governments USD 1 million per incident to resolve. Prior to law enforcement’s takedown of Emotet, the malware reportedly controlled over one million machines. Emotet is also estimated to have made an almighty haul of over USD 2 billion over the years. Given the exceptionally large financial losses, the seizure of Emotet was almost certainly deemed to be a necessary objective of law enforcement. In this sense, its importance is clear to see. Emotet has dominated the cyber threat landscape, and taking it off the board represents a symbolic and strategic victory.
Emotet was known to deliver TrickBot, Ryuk and the QakBot banking trojan. This was done with high levels of success and effectiveness; these variants are formidable in their own right. It is currently unknown if these malware variants are impeded by Emotet’s takedown. However, given that the operators of TrickBot, Ryuk and QakBot are themselves technically sophisticated and operationally capable, it is unlikely that Emotet’s seizure and uninstallation will significantly harm their long-term activity.
We’ve already seen an increase in activity associated with the BazarCall and IcedID malware variants. These surges were observed in March 2021, but reduced in April 2021. BazarCall is known to distribute BazarLoader and BazarBackdoor, which allows for remote access to victim machines. BazarBackdor is also known to deploy Ryuk ransomware. Given that technically sophisticated and operationally capable cybercriminals are likely opportunistic, we will likely see attempts made to fill the space left in Emotet’s wake.
While the takedown of Emotet is a big win for all but cybercriminals, efforts made to replace it with malware such as BazarCall and IcedID demonstrate that cybercriminal outfits are increasingly organized, ambitious and professionalized. This will almost certainly remain the same in the future; the problem does not end with Emotet, but don’t let this convince you that defenders and law enforcement alike won’t be hot on the tails of any group ambitious enough to replace it.
You can investigate malware operators and proactively defend your organization a demo request of Search Light (now ReliaQuest GreyMatter Digital Risk Protection). Through updates on the latest malware types and adversary activity, you can assess the risk they pose to your organization with confidence and proactively block associated indicators and put preventative measures in place according to MITRE.
Hundreds of threat actor profiles are continually updated in our Threat Intelligence library in addition to associated TTPs, relevant IOCs, and MITRE techniques mapped by our team at Photon.