Frankfurt shuts down IT network following Emotet infection

Frankfurt, one of the largest financial hubs in the world and the home of the European Central Bank, has shut down its IT network this week following an infection with the Emotet malware.

Frankfurt is the fourth German entity that shut down its IT network in the past two weeks because of Emotet.

The other three are (1) the Justus Liebig University (JLU) in Gießen, a town north of Frankfurt; (2) Bad Homburg, another city north of Frankfurt; and (3) the Catholic University in Freiburg, a city in southwest Germany, near the French border.

Emotet is a malware operation that infects systems, and then makes money by renting access to infected hosts to other malware groups — including ransomware operators.

All of the above organizations have shut down their network to remove Emotet as quickly as possible and prevent any future ransomware attacks.

Shutting down an IT network incurs financial losses for both public and private organizations, and no system administrator ever wants to take this step. However, security experts from BSI, Germany’s cyber-security agency, played a crucial role in the recent attacks on German entities by recognizing the risk that comes from an Emotet infection and advising victims to take the proper step and avoid a bigger IT disaster down the line.

Unfortunately, the infection at the Justus Liebig University, being one of the earliest (dated December 8), could not be caught in time. According to German newspaper Hessenschau, citing the General Prosecutor Office in Frankfurt, the Emotet malware was used to deploy the Ryuk ransomware on the university’s network.

The university is currently dealing with the aftermath, which includes asking 38,000 students and staff to stand in huge lines to get a new password for their university email accounts.

The next to fall victim to Emotet was the Catholic University in Freiburg, which reported the infection on Tuesday this week, on December 17.

The cities of Frankfurt and Bad Homburg reported Emotet infections the next day, on December 18. Both cities acted immediately to shut down their IT networks.

Frankfurt was the most affected. Everything IT-related provided by the city is currently down, from the city’s website to public transportation ticketing services.

German newspaper Frankfurter Rundschau reported today that the Frankfurt Emotet infection took place after a city employee opened a malicious email attachment.

Emotet’s focus on Germany

The infections across Germany aren’t a surprise. In recent weeks, the Emotet gang has started targeting German users more often.

On the same day the cities of Frankfurt and Bad Homburg were infected, the BSI sent out a security alert warning German organizations about an Emotet email spam campaign that was mimicking German government agencies — and most likely the method through which the two cities were infected.

Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet campaigns, told ZDNet that the Emotet operators often translate their email spam templates to German and target the country’s users.

For example, a campaign that’s underway today using a subject line and lure centered around environmental activist Greta Thunberg also has a German-translated version, Roosen told us.

At this point, it is very clear that the Emotet gang is putting quite the effort into infecting German targets, something it hadn’t done before on this scale.

While we’ve seen cities shut down networks in the past, this usually happened because of ransomware attacks. What German cities are doing now is a first. No cities have reacted like this in the case of an Emotet infection. However, they should, and the BSI was right to recommend that victims shut down and deal with the Emotet infection before it turns into something worse, like ransomware.