Language switcher

You are here

The Emotet malware may steal your data

The Emotet malware strain, currently actively spreading around the world and also in Estonia as of August, may cause data leakage and an unintentional violation of the European Union’s General Data Protection Regulation (GDPR).

According to Joosep Sander Juhanson, the cybersecurity specialist of the incident response department of the Information System Authority (CERT-EE), the current wave of Emotet is spreading in a slightly modified form. ‘An address book is stolen from the mailbox of an infected computer and transferred to the control server of criminals. Some random real conversations are also collected from the mailbox and a robot network resends them to the parties of the conversation and hundreds of other contacts, all including an attachment or a link with malware.’

In addition to the immediate problems caused by the malware, a company infected by Emotet may find that the personal data and e-mail conversations in their possessions are uncontrollably spreading in the cyberspace. Whereas, pursuant to data protection acts and the European Union’s General Data Protection Regulation (GDPR), the owner of data is responsible for its safety, this may, in the worst case scenario, result in extensive monetary fines of tens or even hundreds of thousands of euros. According to Juhanson, it is important to acknowledge that if a computer is infected by malware, this proposes a real risk to the data, including personal data, stored in this computer. In case of any incidents concerning personal data, companies are obligated to inform the Data Protection Inspectorate within 72 hours.

Emotet is a threat to computers that rely on the Windows operation system, and the infection mostly spreads through documents (or, less often, through links) attached to e-mails. In Estonia, we have witnessed an occasion where a person received an e-mail from an acquaintance or a company as a sequel to their existing correspondence that contained an attachment, and the e-mail just read a laconic ‘Please confirm’ or ‘I would like to seek your advice on this’. In some cases, an e-mail contained a previous conversation that was just resent with an added attachment. An attachment is a seemingly ordinary MS Office file that reveals a restriction on certain macro contents upon opening. A person has to give consent with an additional click (‘Enable content’). When the person confirms their consent, the computer gets infected with the Emotet malware, whereas the user of the computer does not notice any viruses. The malware, however, keeps on amending and complementing itself: CERT-EE has even received notice of password-controlled ZIP files that, in actuality, contain an MS Office file and the Emotet.

Juhanson gives some suggestions to avoid getting infected with Emotet, ‘Even though high-end and consistently updated antivirus programs are often able to identify the attachments that contain malware, the key element here is the awareness and carefulness of users. If you receive an e-mail from an acquaintance or a company that contains an unexpected attachment or link, do not open it! Pay extra attention if the file attached requires an additional click for opening. If you receive an e-mail that contains a somewhat outdated conversation, you may have reason to suspect that it is malware. When in doubt, inform the sender of the e-mail and, in case you already accidentally opened a file or a link, contact the IT-services of your company immediately and inform CERT-EE. The easiest thing to do is to send the suspicious e-mail to’

Emotet is currently very active, which is why we recommend companies to inspect and, if necessary, strengthen their information security measures. You should discuss the following issues with your IT partner and service provider:

•    the measures used to block the spreading of malware in the intranet of the company;
•    ways for understanding that data has been stolen;
•    ways for avoiding and detecting infections for services that employees can access from their personal devices.

See more recommendations on protecting yourself and your company at CERT-EE also offers a free public analysis environment Cuckoo ( that can be used to check potentially infected files for malware.

More news on the same subject


Estonia was hit by a third wave of malware – always verify the sender’s address before clicking!

16.10.2020 – The monitoring conducted by the Information System Authority (RIA) and information received from the partners show that the Emotet malware, which can be concealed in documents, files, or under links in e-mails, has infected another large set of computers in Estonia.


Topics of RIA’s quarterly overview: a clever Trojan is taking over Estonians’ computers and the HOIA app is safe

06.10.2020 – The computers of more than a hundred Estonians were infected with the Emotet Trojan. This malware, which creates access to a user’s computer for carrying out further attacks, has affected Estonian trade, transport, and construction companies as well as one smaller government agency. In addition, the Information System Authority (RIA) recommends downloading the HOIA app to limit the spread of the coronavirus and keeping your smart devices updated.