An organization’s entire IT-network was taken down by overheating computers due to an Emotet malware after one of its employees got tricked into opening a phishing email attachment, according to a case study shared by Microsoft’s Detection and Response Team (DART).
“After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week,” DART said.
Fabrikam's systems (a fake name Microsoft gave the victim in their case study) got infected with the Emotet malware after one of the employees opened a file attached to a phishing email, thus allowing the attackers to steal their credentials.
Four days after gaining a foothold in the network, the threat actor used their control over the employee’s computer to start sending out phishing emails to other people within the Fabrikam network.
“Fabrikam didn’t have any network visibility tools in place, so for the next twenty-four hours Emotet wormed its way through its infrastructure without raising any red flags. Then, the threat actor brought the whole network down,” according to DART.
Within eight days since the malicious attachment was opened, Fabrikam's entire network came to a standstill, including the 185-surveillance camera network, with computers overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down because of Emotet devouring all the bandwidth.
Furthermore, Fabrikam’s finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any databases controlled by Fabrikam.
Microsoft experts managed to control the Emotet infection by using asset controls and buffer zones that isolated assets with admin privileges. The team eventually was able to completely eradicate the Emotet infection after uploading new antivirus signatures.