Kroll has been tracking Emotet since it was first identified in 2014, especially during its transition from a banking Trojan designed to primarily steal credentials and sensitive information to a multi-threat polymorphic downloader for more destructive malware. Today, Emotet operators stand as one of the most prominent initial access brokers, providing cybercriminals with access to organizations for a fee.

Multi-factor authentication (MFA) exploits and countermeasure tooling are evolving in real time and at a rapid pace. Some threat actors aim to bypass this security feature for financial gain, while other groups seek to control the flow of information.

In Q1 2022, Kroll observed a 54% increase in phishing attacks being used for initial access in comparison with Q4 2021. Email compromise and ransomware were the two most common threat incident types, highlighting the integral part played by end users in the intrusion lifecycle.

Across the thousands of cyber incidents that Kroll’s global team investigates every year, our experts are constantly on the hunt to spot established patterns of threat actor activity—and to discover new ones. In observing attack patterns, our experts discovered that threat actors like repeatability. Certain actors can be predictable not only in how they attack, but also in the tools and tactics they use once they have access.