Corporate Loader "Emotet": History of "X" Project Return for Ransomware

Updated: Dec 9, 2021

By Yelisey Boguslavskiy & Vitali Kremez

AdvIntel deep-dives into the contemporary threat landscape illustrating how Emotet’s return might re-shift the ransomware ecosystem.

Executive Summary - Why Corporate Loader Returned?

The November 14, return of Emotet (project "X" internally) correlates with two long-term developments in the ransomware ecosystem: 1) unfulfilled loader commodity demand 2) decline of the decentralized RaaS (Ransomware-as-a-Service) model, and the return of the monopoly of organized crime syndicates such as Conti.

AdvIntel’s visibility into the adversary space enables us to confirm that it was the former Ryuk members who were able to convince former Emotet operators to set up a backend and a malware builder from the existing repository project to return to business in order to restore the TrickBot-Emotet-Ryuk triad. This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or HIVE will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist.

Image 1: Emotet progression from ransomware partnership taxonomy.

Threat Landscape

On November 14, AdvIntel identified the return of the Emotet loader which has been inactive since January 2021 after a law enforcement takedown. AdvIntel's investigative hypothesis is that this return has been shaped by the contemporary ransomware landscape and will have a major impact on the development of ransomware.

This resurgence of Emotet will likely cause the largest threat ecosystem shift in 2021 and beyond due to three reasons:

  1. Emotet’s unmatched continuous loader capabilities

  2. The correlation between these capabilities and the demanded of the contemporary cybercrime market

  3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

Emotet - “The Most Dangerous Loader”

Emotet is a loader botnet and a criminal syndicate managing this botnet using a loader-as-a-service model. This means that Emotet offers the capabilities of a loader to deliver the payload of its customer.

Emotet became successful in developing this model (and in choosing the “right” ransomware customers); the Department of Homeland Security defined it as one of the most costly and destructive forms of malware, leaving no sector from government to private industry safe.

Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialization for the needs of specific customers. At the same time, Emotet operators leveraged understanding of social issues and conflicts that enabled them to weaponize the socio-political domain for email spam campaigns.

Overall, Emotet's success was constituted by three things.

1. Technical delivery of the payload

2. Creative and persistent approach to spam dissemination

3. Alliances with top-tier groups such as TrickBot and Ryuk