Shortly after the Conti ransomware group ceased operations in June 2022, Ransomware-as-a-Service (RaaS) groups like Quantum and BlackCat began leveraging the Emotet malware. Emotet started as a banking trojan in 2014, but over time, upgrades have transformed it into a highly dangerous threat that can download additional payloads onto the victim’s computer, allowing attackers to control it remotely. “From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat,” stated researchers at AdvIntel. In typical attack sequences, Cobalt Strike is dropped via Emotet, which is then deployed as a post-exploitation tool for ransomware operations. Even though the Conti ransomware gang was disbanded, some of its members are still engaged in criminal activity as independent entities or as members of other ransomware gangs like BlackCat and Hive.
“Conti affiliates use a variety of initial access vectors including phishing, compromised credentials, malware distribution, and exploiting vulnerabilities,” stated researchers at Recorded Future. According to AdvIntel, approximately 1,267,000 Emotet infections have been reported worldwide since the beginning of the year, with activity peaks in February and March that coincided with Russia’s invasion of Ukraine. A second spike of attacks happened between June and July by ransomware gangs Quantum and BlackCat. The most Emotet-targeted countries are the United States, Finland, Brazil, Netherlands, and France. According to Check Point, an Israeli cybersecurity company, Emotet dropped from first to fifth place in the list of most dominant malware in August 2022.