How to get rid of Emotet and TrickBot

Steps:

  1. Download Rkill.
  2. Download and install last version (trial) of Malwarebytes in each PC and run an analisys once with internet connection to get latest virus definitions
  3. Disconnect all PCs from the network to avoid one infected PC reinfect one cleaned PC
  4. Run Rkill in each PC to kill any infected process
  5. Run a Malwarebytes full analisys to remove all infected files
  6. Patch every PC with this patch to avoid new infections. This will patch some exploits used by Trickbot, but there is newer versions which use other exploits.
  7. At this point Emotet and Trickbot should not be in your system, but it is so smart that it could keep hidden and reborn in a few days or weeks. So…
  8. Review process list searching for any strange process name. (I should add some powershell script here)
  9. Review schedule task to review any suspicious task
  10. Re-run Rkill + Malwarebytes every day in some random machines for a few weeks.
  11. Change all passwords. Trickbot collects any password it is able to capture. Domain passwords, email passwords, browser rememberd passwords (specially bank accounts)…

Some consequences:

  • Now I have blocked .doc, .docx, .xls, xlst email attachements by default.
  • I am thinking about changing jobs

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *