Language switcher

You are here

The Emotet malware may steal your data

The Emotet malware strain, currently actively spreading around the world and also in Estonia as of August, may cause data leakage and an unintentional violation of the European Union’s General Data Protection Regulation (GDPR).

According to Joosep Sander Juhanson, the cybersecurity specialist of the incident response department of the Information System Authority (CERT-EE), the current wave of Emotet is spreading in a slightly modified form. ‘An address book is stolen from the mailbox of an infected computer and transferred to the control server of criminals. Some random real conversations are also collected from the mailbox and a robot network resends them to the parties of the conversation and hundreds of other contacts, all including an attachment or a link with malware.’

In addition to the immediate problems caused by the malware, a company infected by Emotet may find that the personal data and e-mail conversations in their possessions are uncontrollably spreading in the cyberspace. Whereas, pursuant to data protection acts and the European Union’s General Data Protection Regulation (GDPR), the owner of data is responsible for its safety, this may, in the worst case scenario, result in extensive monetary fines of tens or even hundreds of thousands of euros. According to Juhanson, it is important to acknowledge that if a computer is infected by malware, this proposes a real risk to the data, including personal data, stored in this computer. In case of any incidents concerning personal data, companies are obligated to inform the Data Protection Inspectorate within 72 hours.

Emotet is a threat to computers that rely on the Windows operation system, and the infection mostly spreads through documents (or, less often, through links) attached to e-mails. In Estonia, we have witnessed an occasion where a person received an e-mail from an acquaintance or a company as a sequel to their existing correspondence that contained an attachment, and the e-mail just read a laconic ‘Please confirm’ or ‘I would like to seek your advice on this’. In some cases, an e-mail contained a previous conversation that was just resent with an added attachment. An attachment is a seemingly ordinary MS Office file that reveals a restriction on certain macro contents upon opening. A person has to give consent with an additional click (‘Enable content’). When the person confirms their consent, the computer gets infected with the Emotet malware, whereas the user of the computer does not notice any viruses. The malware, however, keeps on amending and complementing itself: CERT-EE has even received notice of password-controlled ZIP files that, in actuality, contain an MS Office file and the Emotet.

Juhanson gives some suggestions to avoid getting infected with Emotet, ‘Even though high-end and consistently updated antivirus programs are often able to identify the attachments that contain malware, the key element here is the awareness and carefulness of users. If you receive an e-mail from an acquaintance or a company that contains an unexpected attachment or link, do not open it! Pay extra attention if the file attached requires an additional click for opening. If you receive an e-mail that contains a somewhat outdated conversation, you may have reason to suspect that it is malware. When in doubt, inform the sender of the e-mail and, in case you already accidentally opened a file or a link, contact the IT-services of your company immediately and inform CERT-EE. The easiest thing to do is to send the suspicious e-mail to’

Emotet is currently very active, which is why we recommend companies to inspect and, if necessary, strengthen their information security measures. You should discuss the following issues with your IT partner and service provider:

•    the measures used to block the spreading of malware in the intranet of the company;
•    ways for understanding that data has been stolen;
•    ways for avoiding and detecting infections for services that employees can access from their personal devices.

See more recommendations on protecting yourself and your company at CERT-EE also offers a free public analysis environment Cuckoo ( that can be used to check potentially infected files for malware.

More news on the same subject


Trends and observations in the cyberspace Q4 2020

A successful cyber attack on public authorities showed that no one is fully protected in cyberspace



The last quarter of 2020 was distinguished by attacks against the IT infrastructure of Estonia

12.01.2021 – The main topic of the cyberspace review of the 4th quarter of 2020 by the Information System Authority (RIA) is successful cyber-attacks against state institutions, which showed that nobody is completely safe in the cyberspace.