Language switcher

You are here

A new wave of the malware network Emotet has arrived in Estonia

In recent weeks, RIA’s Incident Response Department (CERT-EE) has been notified of several infections with the Emotet malware network in Estonia. Emotet, which provides services to other families of malware, has been littering the cyberspace for years. In July, the network was reactivated and victims are being attacked around the world.

Emotet malware is generally distributed through documents attached to e-mails, using conversations found in already compromised accounts. An e-mail from an acquaintance or business partner will often be followed by an e-mail with an attachment and a concise message, such as ‘Please confirm’. The attachment is a seemingly normal Word file that, when opened, shows that certain macro content is disabled. To enable it, you have to make another click (‘Enable Content’).

By clicking either the enable button or the image, the computer becomes infected with Emotet malware without the user noticing it. After being infected, Emotet provides a service to other malicious groups that may use Emotet’s infrastructure to send their malware to a computer to steal sensitive data or mailbox contents, or later infect the computer with, for example, ransomware that encrypts files.

‘We have to be especially vigilant with such malware, because the sender of the message, the subject line, and the accompanying file can look completely credible,’ said Joosep-Sander Juhanson, an information security expert at CERT-EE. ‘Care should also be taken when receiving an e-mail from an acquaintance with an attachment to avoid infection. If there is the slightest doubt about the content or attachment of the e-mail, we recommend contacting the sender by phone or an alternative channel and asking them about it,’ Juhanson added. Advanced computer users can check suspicious attachments on the website If the document being tested results in a red warning, it should be sent to

Additionally, keep in mind that if a file in an e-mail attachment (such as a Word document with a standard extension) asks for something to be enabled or activated when you open it, you should not click on it. If the e-mail is sent to your work e-mail address, contact your workplace’s IT support as soon as possible, as this will help prevent more malware from infecting your workplace. Documents using macros are sent very rarely nowadays; in most cases, it is most likely malware,’ Juhanson emphasised.

The world’s most widely used anti-virus programs work every day to detect and prevent the spread of new versions of malware. If IT support is not available through your employer and there is reason to believe that your computer is infected with malware, CERT-EE recommends that you use a well-known anti-malware or anti-virus program (with the latest signatures) to scan your computer.

Infections are known to have taken place in the transport and healthcare sectors in Estonia, but as this malware can spread very quickly if one computer is infected, there are probably more affected sectors.

We have also received reports of Emotet’s widespread use in recent weeks from our partner institutions in other countries, including Finland and Latvia. Emotet-infected computers form botnets under the control of criminals, which can be used to carry out attacks on a larger scale. Emotet is considered one of the most dangerous and insidious types of malware that has become active again this summer.



Kertu Kärk
Head of Communications
+372 5850 9665

More news on the same subject


Trends and observations in the cyberspace Q4 2020

A successful cyber attack on public authorities showed that no one is fully protected in cyberspace



The last quarter of 2020 was distinguished by attacks against the IT infrastructure of Estonia

12.01.2021 – The main topic of the cyberspace review of the 4th quarter of 2020 by the Information System Authority (RIA) is successful cyber-attacks against state institutions, which showed that nobody is completely safe in the cyberspace.