The November 14th return of Emotet correlates with two long-term developments in the ransomware ecosystem, including unfulfilled loader commodity demand and the decline of the decentralized RaaS (Ransomware-as-a-Service) model, plus the return of the monopoly of organized crime syndicates such as Conti. Researchers at AdvIntel confirmed that it was former Ryuk members who were able to convince former Emotet operators to set up a backend and a malware builder from the existing repository project to return to business in order to restore the TrickBot-Emotet-Ryuk triad. This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or HIVE will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist.
The so-called Emotet-Trickbot-Ryuk triad describes a pattern where Emotet was used for initial access, then Trickbot was deployed, which would eventually lead to an incident with Ryuk ransomware. This model is being revived with an alliance between Emotet, Trickbot, and Conti ransomware. Emotet is most often delivered via malicious emails containing Office documents with macros. Use email filtering technology and train users to spot and report suspicious emails and to never enable macros on attached documents. Implementing a strong endpoint detection solution with a competent SOC to triage alerts, or a service like Binary Defense to triage them, can help detect and contain Emotet infections before the situation gets out of hand.