Language switcher

You are here

Estonia was hit by a third wave of malware – always verify the sender’s address before clicking!

The monitoring conducted by the Information System Authority (RIA) and information received from the partners show that the Emotet malware, which can be concealed in documents, files, or under links in e-mails, has infected another large set of computers in Estonia.

According to Joosep Sander Juhanson, information security expert at RIA’s CERT-EE, the third larger wave started yesterday. ‘The latest e-mails with the Emotet malware attached come with the name of the recipient of the e-mail or the receiving company in the title. Previously, we have come in contact with malware e-mails which have appeared to originate from a colleague or a cooperation partner,’ said Juhanson. He added that such fake e-mails are relatively easy to detect by verifying the sender’s address.

‘On the other hand, the perpetrators may have taken over the company’s e-mail account. This means that the e-mails actually arrive from the real address and with familiar work documents attached, but also include the malware. In any case, we will be notifying all users who we know have been infected,’ added Juhanson. Based on initial assessments, it appears that the third wave is being conducted with the help of the data obtained in the course of the previous waves.

What is Emotet?

The malware is used to steal e-mail address books from infected computers; the address books are then sent to the perpetrators. Random actual e-mail conversations are also picked from the mailbox and sent by a robotic network back to the parties to the conversation, as well as to hundreds of other contacts along with an attachment or link containing the malware. In addition to the direct issues caused by the infection of the devices, a company which has been infected with Emotet may end up in a situation in which the personal data in their possession and their e-mail conversations start spreading in the cyber space uncontrollably.

Emotet can spread in computers with the Windows operating system and is mainly spread via documents attached to e-mails (as well as via links in rarer occasions). The content of the e-mail is often a brief message in English, such as ‘Please confirm’ or ‘I would like to seek your advice on this’. On some occasions, the content of the e-mail consists of a previous conversation which is simply resent with an attachment.

The attached documents have typical Word extensions, such as .docx or .doc. When the user attempts to open the file, a message appears, according to which the content of the document cannot be displayed and the software may require updating. The malware reaches the user’s computer if they click once more to permit macros. The English-language Word asks the user to ‘Enable Editing’ or ‘Enable Content’, while the Estonian-language Word message reads ‘Luba redigeerimine’ or ‘Luba sisu’. If the button to grant the permission is clicked, the computer is infected with the Emotet malware, which will remain undetected by the user. The malware, however, keeps transforming and complementing itself – CERT-EE has also been notified of password-protected zip files which actually contain a MS Word file and Emotet.

How to protect yourself from the malware?

If you receive an e-mail with an unexpected attachment or link from an acquaintance or a business, do not open it. Be especially vigilant if an additional click must be made to open the attached file. If you receive an e-mail with a conversation which does not seem quite relevant, the e-mail may be infected with malware. In the case of any suspicions, please notify the sender of the e-mail and, if you have accidentally opened the file or link, immediately contact the IT support of your company and notify CERT-EE (cert[@]

As Emotet is currently spreading very actively, we would advise all companies to check their information security measures and strengthen them, if necessary. Discuss the following issues with your IT partner and service provider:

  • Which measures are used to prevent malware traffic in the company’s networks?
  • How to tell that your data has been stolen?
  • How to prevent and identify infection cases which involve the services which can be accessed by the employees from their personal devices?

Read more about how to protect yourself and your company at: ». CERT-EE offers Cuckoo, a free analysis environment for the public ( »), which can be used to check files which are suspected to contain malware.

Read more:

Seiko Kuik
EISA press officer
+372 5851 7028

More news on the same subject


Large-scale denial-of-service attacks have ended

29.4.2022 – According to the assessment of the Information System Authority (RIA), the denial-of-service attacks that began on 21 April concluded by the evening of 25 April. The purpose of the denial-of-service attacks was to disrupt the operation of 13 websites, but due to the countermeasures applied, the effect of the attacks was insignificant.


DDoS attacks against state websites had no significant effect

21.4.2022 – From 4 p.m. this evening, the security incident management organisation (CERT-EE) of the Information System Authority (RIA) identified distributed denial-of-service (DDoS) attacks against state websites. The attacks caused short-term interruptions in the accessibility of some websites, but had no significant effects.