Emotet Botnet Now Deploys Quantum and BlackCat Ransomware

Ransomware-as-a-service (RaaS) groups are leveraging the Emotet malware for criminal activities. This includes significant ransomware gangs in underground hacking forums, such as Quantum and BlackCat.  

After Russia-based ransomware Conti’s retirement, several other players infiltrated the markets and have been active since 2014. Over the years, the groups have transformed the malware into a highly potent threat capable of doing more damage than its other counterparts.  

According to sources, Emotet has evolved into a ruthless malware that can download other payloads into the victim’s computer, enabling the threat actor to control the victim’s devices remotely.

Emotet Botnet and Conti’s relationship 

Since the U.S. seized Conti and its operation, the Emotet infection chain is currently attributed to Quantum and BlackCat. Emotet has been an exclusive part of Conti-based companies from 2021 November 2021 to June 2022. The malware was also involved in several high-profile cases. However, after Conti’s downfall, reports suggest that it might operate under other names with different groups. 

These threat actors use Emotet (aka SpmTools) for initial access to drop Cobalt Strike (adversary simulation tool that emulates tactics and techniques of a quiet, long-term embedded threat actor), which is then used for ransomware operations. 

Organizations connected to the Conti ransomware gang are still active as parts of other ransomware crews such as the BlackCat and Hive or work independently with a particular focus on criminal endeavors.  

Though not as infamous as Conti, Quantum is related to the notorious ransomware gang. It has been active in many cybercrime activities, such as call-back phishing.  

These groups operate to gain initial access vectors to their victims, including phishing, compromising employee login credentials, and malware distribution, among other vulnerabilities. 

Researchers find over 1,267,000 Emotet Botnet infections 

Threat prevention and loss prevention firm AdvIntel reported over 1,267,000 Emotet since the start of this year. According to the company, the TA’s peak activities were registered between February and March, coinciding with Russia’s invasion of Ukraine. 

Following the first wave, the second surge began in June and July. Data from ransomware groups like Quantum and BlackCat shows that the most Emotet-targeted regions include the US., followed by Finland, Brazil, the Netherlands, and France. 

Check Point, an Israeli cybersecurity company, also stated that Emotet had dropped from first to fifth in the list of the most prevalent malware for August 2022, coming behind other ransomware like FormBook, Agent Tesla, XMRig, and GuLoader.