The malware that infected the city of Allentown’s computer systems last week is an especially pernicious program that spreads via infected email attachments and has been attacking banks, hospitals and other industries since it was first detected four years ago.
The Emotet program has subsided and re-emerged several times over the years, using keystroke recording and other means to steal financial information.
It is usually hidden in corrupted Microsoft Word documents, which are sent as email attachments made to look like payment vouchers or other documents.
The effects on Allentown — beyond the estimated $1 million it will cost to fix the problem, and lost productivity from the shutdown of systems in an effort to contain the attack — are not yet known.
Nor is it clear how the incident will affect people who do business with the city.
While officials said there’s no evidence to suggest personal information of residents has been compromised, they also warned against opening emails with attachments that appear to originate from the city. That could spread the Emotet to home users.
Because Emotet is “polymorphic” — meaning its code can change as it goes — it can evade virus protection and firewalls and infect systems with incredible speed, experts say.
In December, computer security company Bromium reported that Emotet bypassed 50 out of 66 antivirus programs during a test.
“It seems to be getting smarter,” said Mike Hawkins, CEO of the Allentown cybersecurity company Netizen, offering an unnerving assessment of Emotet and its capabilities.
Like other so-called banking malware, the virus detects when users go to banking websites and captures PIN numbers and other credentials.
One such program, Dridex, caused $40 million in losses worldwide in 2014-15, mainly in the United Kingdom.
“The goal is to capture login credentials for banking systems,” said Charlie Indelicato, Netizen’s senior cybersecurity engineer. “It’s not limited to only that, but login credentials are login credentials. The goal is to compromise the system, and if there’s money at the end of the attack, that’s to their benefit.”
The FBI and the Department of Homeland Security, which investigate cybercrimes, list Emotet as one of the malware programs propagated by “Avalanche,” a global infrastructure network used by criminals to conduct phishing and malware distribution campaigns.
Lance Hawk, a longtime corporate computer security manager who now runs Computer Forensics and IT Security Solutions, a private firm in south Allentown, said Emotet is properly called a Trojan horse program.
That’s because it smuggles infections into systems under seemingly harmless guises, dropping what are called “payloads” that attack systems in different ways.
“It’s allowed in via the infamous click,” said Hawk, who — like Indelicato and Hawkins — was speaking of malware in general and not the Allentown incident in particular. “It could be disguised as anything — a message from the IT department, an Amazon gift card.”
Hackers depend on that sort of human error.
“All it takes is one person to click on an email or one person to plug in an infected USB drive — no security in the world is going to protect you,” Hawk said.
Still, even savvy and sharp-eyed users can be victimized. Clicking on an infected link doesn’t set off alarm bells. The infection works quietly.
“The malware writers are very good at what they do,” Indelicato said. “They cover their tracks very well.”
Allentown’s technology director, Matthew Leibert, said Tuesday the attack is under criminal investigation. Allentown spokesman Mike Moore did not know by whom. The FBI does not acknowledge open investigations.
Because systems were shut down to contain the virus, the city’s finance department cannot complete any external banking transactions, and the police department cannot access databases controlled by the Pennsylvania State Police, Mayor Ed Pawlowski said Tuesday.
Allentown officials said the malware was detected in its system last week and quickly proved too complex for in-house technology staff to handle.
The city contracted with Microsoft to have a team of experts stop the virus and undo the damage to the system — a process that has already cost $185,000 and could end up costing close to $1 million, according to Pawlowski.
The virus threatens all city systems that run Microsoft, including Allentown’s surveillance camera network, Pawlowski said. Allentown has about 185 cameras across the city.
How the malware infected city systems hasn’t been determined, officials said.
Hawkins, of Netizen, said the recovery time after an attack can vary widely.
“It depends on how good a backup system they have and how well they have been prepared for it,” he said.
Last month, the Rockingham County School District in North Carolina spent more than $300,000 rebuilding 20 servers after an Emotet attack that began when an employee clicked on a link in a phishing email, according to media reports.
Hawk said the biggest costs to affected agencies come after the attack is contained, because systems have to be safeguarded against a repeat.
“You’re changing hardware and software and training people in best practices for email and web browsing,” he said.
