{
	"id": "5ba21c04-e9f2-4622-8667-5d2482030f6a",
	"created_at": "2026-04-12T02:21:09.944261Z",
	"updated_at": "2026-04-12T02:22:41.448121Z",
	"deleted_at": null,
	"sha1_hash": "5bcc539ade925fd23989522a0be75dd7fbd9c870",
	"title": "Trickbot Rebirths Emotet: 140,000 Victims in 149 Countries in 10 Months",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45194,
	"plain_text": "Trickbot Rebirths Emotet: 140,000 Victims in 149 Countries in 10\r\nMonths\r\nBy gmcdouga\r\nPublished: 2021-12-08 · Archived: 2026-04-12 02:17:06 UTC\r\nCheck Point Research (CPR) warns of potential ransomware attacks, as it sees samples of Emotet fast-spreading via Trickbot. Since Emotet’s takedown by law enforcement, CPR estimates 140,000 victims of\r\nTrickbot, across 149 countries in only 10 months. New Emotet samples spreading through Trickbot were\r\ndiscovered by CPR on November 15, 2021. Emotet is a strong indicator of future ransomware attacks, as\r\nthe malware provides ransomware gangs a backdoor into compromised machines.\r\nPortugal and USA have been top targets of Trickbot\r\nTrickbot’s top industry targets are government, finance and then manufacturing\r\nTrickbot relies heavily on a small number of IP addresses for distribution\r\nCheck Point Research (CPR) sees samples of Emotet fast-spreading through surges in Trickbot activity. Once\r\ndescribed as the ‘world’s most dangerous malware’, Emotet provides threat actors with a backdoor into\r\ncompromised machines, which could be leased out to ransomware gang to use for their own campaigns. Hence,\r\nEmotet’s return is a strong indicator of future ransomware attacks.\r\nAt the beginning of the year, an international law enforcement action coordinated by Europol and Eurojust took\r\nover the Emotet infrastructure and arrested two individuals. Ten months later, on November 15, 2021, Trickbot\r\ninfected machines started to drop Emotet samples by promoting users to download password protect zip files,\r\ncontaining malicious documents that are rebuilding Emotet’s botnet network. Emotet has also upgraded its\r\noperations, adding some new tricks to its toolbox.\r\nFigure 1. The graph below shows the victims of Emotet in the year 2021.\r\nhttps://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/\r\nPage 1 of 4\n\n140,000+ Trickbot Victims\r\nTrickbot has demonstrated a persistent rate of growth in activity. CPR spotted more than 140,000 victims affected\r\nby Trickbot all around the globe since the botnet takedown, including organizations and individuals. Trickbot\r\naffected 149 countries in total, which marks more than 75% of all the countries on the world.\r\nFigure 2. Trickbot dynamic of infected machines since November 1, 2020\r\nTrickbot by Geography\r\nAlmost one third of all Trickbot targets are located in Portugal and USA.\r\nFigure 3. Trickbot victims since November 1, 2020 grouped by countries\r\nhttps://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/\r\nPage 2 of 4\n\nTrickbot by Industry\r\nCPR tracked a distribution of victims by industries which is reflected in the graph below. Victims from high\r\nprofile industries constitute more than 50% of all the victims.\r\nFigure 4. Trickbot victims since November 1, 2020 grouped by industries\r\nQuote: Lotem Finkelstein, Head of Threat Intelligence, at Check Point Software:\r\n“Emotet was the strongest botnet in the history of cybercrime with a rich infection base. Now, Emotet has resold\r\nits infection base to other threat actors to spread their malware; and most of the time, it’s been to ransomware\r\nhttps://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/\r\nPage 3 of 4\n\ngangs. Emotet’s comeback is a major warning sign for yet another surge in ransomware attacks as go into 2022.\r\nTrickbot, who has always collaborated with Emotet, is facilitating Emotet’s comeback by dropping it on infected\r\nvictims. This has allowed Emotet to start from a very firm position, and not from scratch. In only two weeks,\r\nEmotet became the 7th most popular malware, as see in our recent Most Wanted Malware List . Emotet is our best\r\nindicator for future ransomware attacks. We should treat Emotet and Trickbot infections like they are ransomware.\r\nOtherwise, it is only a matter of time before we have to deal with an actual ransomware attack.”\r\nCheck Point Protections\r\nCheck Point Software provides Zero-Day Protection across its Network, Cloud, Users and Access Security\r\nSolutions, Check Point Harmony provides the best zero-day protection while reducing security overhead.\r\nTo read the full technical blog, go to: research.checkpoint.com\r\nSource: https://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/\r\nhttps://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2021/12/08/trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months/"
	],
	"report_names": [
		"trickbot-rebirths-emotet-140000-victims-in-149-countries-in-10-months"
	],
	"threat_actors": [],
	"ts_created_at": 1775960469,
	"ts_updated_at": 1775960561,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5bcc539ade925fd23989522a0be75dd7fbd9c870.pdf",
		"text": "https://archive.orkl.eu/5bcc539ade925fd23989522a0be75dd7fbd9c870.txt",
		"img": "https://archive.orkl.eu/5bcc539ade925fd23989522a0be75dd7fbd9c870.jpg"
	}
}