TrickBot or Emotet remediation workflow
Follow these steps to remediate a TrickBot or Emotet infection.
Introduction
The TrickBot or Emotet malware suite is one of the more pervasive and effective ones in the wild right now. It leverages several techniques and infection vectors to spread through an environment and gain persistence on compromised devices.
For effective protection, we recommend Intercept X Advanced with EDR.
If you have an active TrickBot or Emotet incident, we recommend contacting us and purchasing our Managed Threat Response Service. This is a highly trained team that can assist in your remediation and provide root cause analysis.
Check your devices
Make sure your devices are up to date and protected. To check your devices, do as follows:
Define the scope of the problem
Don't assume every device in your network is protected and that you know every device on your network. There are many ways of identifying devices on your network, and you may already have methods of doing this. The option that works best for you depends on your network size and segmentation.
One of the most common methods is to do a network scan and detect what is on the network at that moment.
You can use third-party tools to do this, such as Advanced IP Scanner.
If you don't want to use a third-party tool, you can use Source of Infection. This is a free Sophos tool. It isn't an antivirus product, and it won't detect or remove any malware. You leave it running on a device, and it logs every file that is written to that device. It generates a log file containing a list of every file written. For each file, the log file contains the full file path, the date and time written, and whether a local or network process wrote it. For local processes, it lists the name and path of the file that wrote it. For a network process, it lists the remote IP address or device name. You can then use the log file to identify the devices that contain potential undetected malware. For example, you can use it to investigate a protected device that is repeatedly getting detections, even after multiple remediation attempts. Repeated detections indicate that another device in the network is infected and is attempting to re-infect your protected device. Source of Infection can help you find that infected device.
You can find out more information about Source of Infection in the following knowledge base articles:
- Sophos source of infection tool (SOI): How to download and use
- How to: Run the Source of Infection (SOI) on a remote computer
To scan your network, choose from the following options:
Check your protection
Sophos has recommended settings for threat protection. These use multiple layers of protection. These settings give protection against infection and aid the cleanup of infections. To check your protection, do as follows:
Patch your devices
Make sure that all your devices have the latest Windows security patches. You must make sure that you include the patch for the EternalBlue exploit. TrickBot or Emotet uses this exploit as one of its methods of spreading.
EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB, which was used notably by the WannaCry ransomware to spread. Patching devices and removing this infection vector makes it harder for Trickbot or Emotet and protects you against other malware using EternalBlue.
Microsoft released the patch for EternalBlue in Microsoft update: MS17-010. The official Microsoft article explains how to verify if a device has the patch. See How to verify that MS17-010 is installed.
Sophos has a simple PowerShell script that can be run on individual computers to confirm if they have the patch. For more information about this, see How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.
To patch your devices, do as follows:
- Check if your devices are vulnerable to EternalBlue.
- Update your devices with the latest Windows security patches.
Scan and clean your devices
Scan your devices to find out how many you have TrickBot or Embotet infections. You then need to clean your devices to prevent reinfections.
To do this, do as follows:
Final remediation
If you're still getting detections, then there's an infection on a device in your network.
TrickBot or Emotet infections persist in a file and fileless form. To remediate them, you need to reduce their ability to replicate in both forms. For more information on how this malware functions, see Resolving outbreaks of Emotet and TrickBot malware.
To find the remaining infected devices, do as follows:
TrickBot or Emotet remediation video
This video covers this workflow.