The Federal office for information security (BSI) warns strongly against a young, but dangerous pest – the comes across an old acquaintance. The Malware will download other Trojan, and can then cause in a corporate network, a lot of damage.

Already at the beginning of December, the authority warned of E-Mails with a certain Trojan in the Luggage, it sounded dramatic: The Trojan Emotet kursiere and could reload another Malware called TrickBot, which could give attackers full control over a System. “In several of the BSI-known cases, this resulted in large production losses result, since all the corporate networks had to be rebuilt,” said the authority. Elsewhere, she reported that there were “millions in damages” due to “failures of the entire IT infrastructure”.

this week, the BSI warned on Twitter again in front of Emotet: “After a Christmas break is Emotet since Morning mass-Spam sent.” This Time, the office does not but added that Emotet reload only the already known Malware by the name of TrickBot, but “in consequence of the Ransomware Ryuk”. And it has with it.

The speaks to Cisco belonging to the IT security firm Duo Security from a “unholy Alliance”: Emotet of the door opener is, from scouting a network and downloads TrickBot. TrickBot from fishing, among other things, account access data. With all the collected information to the attacker to estimate how much ransom money could be her victim just yet. Then TrickBot loads, in turn, the Ransomware Ryuk. The encrypted files that were detected in the Survey as particularly important. And they also complicated their recovery, by deleting all of the backup copies that you find.

The BSI has gotten “so far, only a few reports to relevant infections” with Ryuk, but in terms of the procedure, a similar view: “informed our assessment is that Ryuk from offenders is used only very occasionally and selectively, after you have looked around extensively in the networks of the victims,” the authority on demand.

Tilman Frosch, managing Director of G Data Advanced Analytics in Bochum , keeps Ryuk for particularly sophisticated, but the delete function he thinks is a Trend in extortion software: “We expect this or next year and more of such automated loss of Back-ups.”

First, it was suspected North Korea, now Ryuk in Russia will be located

Grim Spider – grim spider – called the IT-security firm CrowdStrike in a recent analysis, the backers of Ryuk. Like the other U.S. company FireEye, Kryptos Logic, and McAfee CrowdStrike is now based on the assumption that the group consists of Russian Criminals, after the development of Ryuk was the first to be located in North Korea.

at Least 705 Bitcoins in ransom have been collected the offenders since August of 2018, as Ryuk for the first Time showed up. As of today, this would correspond to the equivalent of approximately 2.25 million euros, due to the since November, has significantly fallen Bitcoin exchange rate, it is likely to be, in fact, been but more. Was paid by at least 22 different Bitcoin Wallets, some in multiple tranches. That could mean that at least 22 companies have capitulated and paid.

“We would always advise against paying the ransom,” says frog. “But if the Alternative is that a company’s set of business or contractual penalties must be expected on the basis of contractual obligations, in excess of the required Ransom, then the question no longer arises.”

Microsoft Word is the most important point of attack

The protection from the fierce spider starts in the mail mailbox. Users should first open any unsolicited sent attachments or Links to click on and thereby open Website download files, even if the sender is known or appears to be. Administrators should, secondly, prohibit the execution of macros in Word, because they are the gateway for Emotet. Alternatively, you could use it instead of Word, the Open Source Alternative LibreOffice in the companies. Thirdly, you should keep the security updates and Patches for Windows up-to-date.

Who’s been a victim of Emotet, you should inform the BSI, according to the immediate environment of the infection. Because E-Mail contacts, and especially the last conversation partners are particularly vulnerable for the next wave of phishing attempts by the perpetrators. “Once infected systems” should be considered to be compromised in addition, “in principle, as completely and must be rebooted”.

reading tip of The own data secure: how to protect yourself from Hacks