article featured image


Conti ransomware is a very dangerous malicious actor because of how quickly it encrypts data and spreads to other computers.

To get remote access to the affected PCs, the organization is usually utilizing phishing attempts to install the TrickBot and BazarLoader Trojans.

What Happened?

Emotet botnet has been reactivated by its previous operator, who was persuaded by members of the Conti ransomware group.

As reported by BleepingComputer, following a lengthy period of malware loader scarcity and the decrease of decentralized ransomware operations, the botnet has resurfaced, allowing organized criminal syndicates to resurface.

Emotet’s biggest customers were Qbot and TrickBot, which utilized their access to spread ransomware (e.g. Ryuk, Conti, ProLock, Egregor, DoppelPaymer, and others).

Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialization for the needs of specific customers.


Because the botnet operators supplied early access on a large scale, many malware operations, particularly those in the so-called Emotet-TrickBot-Ryuk triangle, relied on Emotet for their attacks.

 After the takedown of Emotet, the demand for an efficient source of high-quality access and advanced dissemination was not matched with a proper supply. According to AdvIntel’s sensitive source intelligence, even top-tier groups who have their venues for organized access supply-chains such as Conti (relies on TrickBot, BazarLoader, and Cobalt Strike spam delivery) or DoppelPaymer (relies on Dridex) express concerns regarding the lack of initial accesses.

This discrepancy between supply and demand makes Emotet’s resurgence important. As this botnet returns, it can majorly impact the entire security environment by matching the ransomware groups’ fundamental gap.


Affiliates employed low-level access sellers and brokers, according to the researchers, which contributed to many ransomware-as-a-service (RaaS) companies closing down this year.

With at least one former Ryuk member onboard and collaboration with Emotet’s biggest client, TrickBot, the Conti group was in the strongest position to beg for a comeback from Emotet operators.

Once the botnet expands, the Conti gang will be able to send their payload to high-value targets via Emotet, and will become a prominent player in the ransomware arena.

If you liked this article follow us on LinkedInTwitterYouTubeFacebook, and Instagram to keep up to date with everything cybersecurity.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *