Just 10 months from its takedown, the malware has resurfaced with a vengeance—in the form of Trickbot infections.

Through surges in Trickbot activity, the banking trojan known as Emotet has been spreading fast recently.

Once described as the world’s most dangerous malware, Emotet provides threat actors with a backdoor into compromised machines, which could be leased out to ransomware groups to use for their own campaigns.

Victims of Emotet in 2021

The back story is that an international law enforcement action coordinated by Europol and Eurojust had seized the Emotet infrastructure early this year. Now, 10 months later, machines infected with Trickbot tricking users to download password protected zip files containing Emotet. This has been helping to rebuild Emotet’s botnet network.

Check Point Research (CPR), which reported this trend, has counted around 140,000 Trickbot victims since the botnet takedown, including organizations and individuals. In total, Trickbot has affected 149 countries, which comprises more than 75% of all the countries on the world.

Almost one third of all Trickbot targets are located in Portugal and USA, while high profile industries constituted more than 50% of all the victims.

According to CPR’s Head of Threat Intelligence, Lotem Finkelstein: “With a rich infection base Emotet was the strongest botnet in the history of cybercrime. Now, the actors behind it have resold its infection base to other threat actors to spread their malware; and most of the time, it’s been to ransomware gangs. Trickbot, who has always collaborated with Emotet, is facilitating Emotet’s comeback by dropping it on infected victims. This is a major warning sign for yet another surge in ransomware attacks as go into 2022.”

Finkelstein noted that Emotet has already become the 7th most prevalent malware: “We should treat Emotet and Trickbot infections like they are ransomware. Otherwise, it is only a matter of time before we have to deal with an actual ransomware attack.”