Skip to main content


What is Emotet?

Emotet is a computer malware program that was originally developed in the form of a banking Trojan. The goal was to access foreign devices and spy on sensitive private data. Emotet has been known to deceive basic antivirus programs and hide from them. Once infected, the malware spreads like a computer worm and attempts to infiltrate other computers in the network.

Emotet spreads mainly through spam emails. The respective email contains a malicious link or an infected document. If you download the document or open the link, further malware is automatically downloaded onto your computer. These emails were created to look very authentic and many people have fallen victim to Emotet.

Emotet - term and definition

Emotet was first detected in 2014, when customers of German and Austrian banks were affected by the Trojan. Emotet had gained access to the login data of the customers. In the following years to come — the virus would spread globally.

Emotet evolved from a banking Trojan into a Dropper, which means that the Trojan reloads malware onto devices. These are then responsible for the actual damage to the system.

In most cases the following programs were ‘dropped’:

  • Trickster (also known as TrickLoader and TrickBot): A banking Trojan that attempts to gain access to the login data of bank accounts.
  • Ryuk : An Encryption Trojan - also known as a Cryptotrojan or Ransomware - encrypts data and thus blocks the user of the computer from accessing this data or the entire system.

The goal of the cybercriminals behind Emotet is often to extort money from their victims. For example, they threaten to publish or release the encrypted data they get access to.

Who does Emotet target?

Emotet targets private individuals, as well as, companies, organizations, and authorities. In 2018, after being infected with Emotet, the Fuerstenfeldbruck hospital in Germany had to shut down 450 computers and log off from the rescue control center in an attempt to control the infection. In September 2019, the Berlin Court of Appeal was affected, and in December 2019 the University of Giessen. The Medical University of Hannover and the city administration of Frankfurt am Main were also infected by Emotet.

These are just a few examples of Emotet infections, the undisclosed number of affected companies is estimated to be much higher. It is also assumed that many infected companies didn't want to report their breach for fear of damaging their reputation.

It’s also worth keeping in mind that while in the early days, Emotet mainly targeted companies and organizations, the Trojan is now primarily targeting private individuals.

Which devices are at risk from Emotet?

Initially, infections by Emotet were only detected on more recent versions of the Microsoft Windows operating system. However, at the beginning of 2019 it became known that computers made by Apple were also affected by Emotet. The criminals lured users into a trap with a fake email from Apple support. Claiming the company would "restrict access to your account" if you didn’t respond. Victims were then told to follow a link to allegedly prevent the deactivation and deletion of their Apple services.

How does the Emotet Trojan spread?

Emotet is mainly distributed via so-called Outlook harvesting. The Trojan reads emails from users already affected and creates deceptively real content. These emails appear legitimate and personal — thus stand out from ordinary spam emails. Emotet sends these phishing emails to stored contacts like, friends, family members, and work colleagues.

Most of the time, the emails contain an infected Word document that the recipient is supposed to download or a dangerous link. The correct name is always displayed as the sender. So, the recipients think it’s safe: everything looks like a legitimate email. They then (in most cases) click on the dangerous link or download the infected attachment.

Once Emotet has access to a network, it can spread. In the process, it tries to crack passwords to accounts using the brute force method. Other ways Emotet has spread include the EternalBlue exploit and the DoublePulsar vulnerability on Windows which allowed malware to be installed without human intervention. In 2017, the extortion Trojan WannaCry was able to take advantage of the EternalBlue exploit for a major cyberattack that caused devastating damage.

Who is behind Emotet?

The German Federal Office for Information Security (BSI) believes that,

"The developers of Emotet are subleasing their software and infrastructure to third parties".

They also rely on additional malware to pursue their own goals. The BSI believes that the criminals are financially motivated and therefore deem it cybercrime — not espionage. Still, nobody seems to have a clear answer as to who exactly is behind Emotet. There are various rumors regarding the countries of origin, but there is no reliable evidence.

How dangerous is Emotet?

The US Department of Homeland Security came to the conclusion that Emotet is a particularly expensive software with enormous destructive power. The cost of the cleanup is estimated at around one million US dollars per incident. Therefore Arne Schoenbohm, head of the German Federal Office for Information Security (BSI), calls Emotet the "king of malware".

Emotet is without doubt one of the most complex and dangerous malware in history. The virus is polymorphic, which means that its code changes a little bit every time it is accessed.

This makes it difficult for antivirus software to identify the virus: many antivirus programs perform signature-based searches. In February 2020, security researchers from Binary Search discovered that Emotet is now also attacking Wi-Fi networks. If an infected device is connected to a wireless network, Emotet scans all wireless networks nearby. Using a password list, the virus then attempts to gain access to the networks and thus infect other devices.

Cybercriminals like to exploit fears in the population. It's therefore not surprising that the fear of the corona virus, which has been circulating worldwide since December 2019, is also exploited by Emotet. The cybercriminals behind the Trojan often fake emails that are supposed to inform about the corona virus and educate the public. So, if you find such an email in your inbox, be especially careful with any attachments or links in the email.

How can I protect myself from Emotet?

When protecting against Emotet and other Trojans, it is not enough to rely solely on antivirus programs. Detecting the polymorphic virus is just the first step for end users. There is simply no solution that provides 100% protection against Emotet or other constantly changing Trojans. Only by taking organizational and technical measures, can you keep the risk of infection to a minimum.

Here are some tips to protect yourself from Emotet:

  • Keep up to date. Keep yourself regularly informed about further developments concerning Emotet. There are several ways to do this, such reading the Kaspersky Resource Center or doing your own research.
  • Security updates: it is essential that you install updates provided by manufacturers as quickly as possible to close possible security gaps. This applies to operating systems such as Windows and macOS as well as any application programs, browsers, browser add-ons, email clients, Office, and PDF programs.
  • Virus protection: Be sure to install a full virus and malware protection program an such as Kaspersky Internet Security and have it scan your computer regularly for vulnerabilities. This will give you the best possible protection against the latest viruses, spyware, etc.
  • Do not download dubious attachments from emails or click on suspicious links. If you're unsure whether an email is fake, don't take any risks and contact the sender. If you are asked to allow a macro to run on a downloaded file, do not do so under any circumstances, but delete the file immediately. This way you will not give Emotet a chance to get on your computer in the first place.
  • Back up your data regularly to an external storage device. In the event of an infection, you will always have a backup to fall back on and you will not lose all the data on your device.
  • Use only strong passwords for all logins (online banking, email account, online stores). This means not the name of your first dog, but a random arrangement of letters, numbers, and special characters. You can either make these up yourself or have them generated by various programs. In addition, many programs nowadays offer the possibility of a two-factor authentication.
  • File extensions: have your computer display file extensions by default. This allows you to detect dubious files such as „Photo123.jpg.exe". which tend to be malicious programs.

How can I remove Emotet?

First of all, don't panic if you suspect that your PC may be infected with Emotet. Inform your personal circle about the infection, because people in your email contacts are potentially at risk.

Next be sure to isolate your computer if it is connected to a network to reduce the risk of Emotet spreading. Subsequently, you should change all the login data for all your accounts (email accounts, web browsers, etc.) Do this on a separate device that is not infected or connected to the same network.

Because Emotet is polymorphic (meaning that its code changes slightly each time it is accessed), a cleaned computer can be quickly re-infected if it is connected to an infected network. Therefore, you must clean all computers connected to your network — one after the other. Use an antivirus program to help you do this. Alternatively, you can also contact a specialist, such as your antivirus software provider for guidance and help.

EmoCheck: Does the tool really help against Emotet?

The Japanese CERT (Computer Emergency Response Team) has published a tool called EmoCheck, which claims it can be used to check your computer for an Emotet infection. But because Emotet is polymorphic, EmoCheck can’t guarantee a 100% certainty that your computer is not infected.

What EmoCheck does is detect typical character strings and warns you about a potential Trojan. However, the mutability of the virus doesn’t guarantee that your computer is really clean — which is worth keeping in mind.

Final thoughts

The Trojan Emotet is really one of the most dangerous malwares in cyber security history. Anyone could become a victim – private individuals, companies, and even global authorities. Because once the Trojan has infiltrated a system, it reloads other malware that spies on you.

Many of the victims of Emotet are often blackmailed to pay ransom, in order to get the data back. Unfortunately, there is no solution that provides 100% protection against an infection by Emotet. However, there are several measures that can be taken to reduce the risk of an infection.

If you suspect that your computer is infected with Emotet, you should take the actions mentioned in this article to clean your computer and make sure you are protected with a comprehensive antivirus solution such as, Kaspersky antimalware solutions.

Related articles:

Emotet: How to best protect yourself from the Trojan

Emotet is one of the most dangerous Trojans and can cause major damage. Find out more about it and learn how to protect yourself.
Kaspersky Logo