Phishing Attack Sees School District Network Crippled by Emotet Malware

Employees of the Rockingham County Schools District in North Carolina have inadvertently disabled their entire network after falling for phishing emails. Several employees opened malicious Microsoft Word documents that resulted in multiple copies of Emotet malware being installed.

Emotet malware is a computer Trojan that steals financial information first by injecting code into the networking stack, then installing itself in software modules. The malware can also steal address books and perform Denial of Service (DoS) attacks on other systems connected to the infected computer.

The phishing emails that proved so effective were word documents claiming to be invoices. The subject line on the emails was Incorrect invoice. The emails were received on December 11, with the infections detected three days later when several machines were unable to connect to the network. It became apparent the following day that the attackers had gained access to several email accounts, which were used to send spam emails. Some Google accounts were subsequently closed down due to spamming.

Once the infection was detected, the school district attempted to remove the Trojan, although while the malware was removed, reinfection occurred.

No personal or financial data appears to have been compromised, with the spamming from school district email accounts the limit of the malicious activity. The school district has also had to cope with network downtime and a lack of online services for more than a week.

As the school district has discovered, it is not possible to simply remove the malware. The only way that the malware can be removed is for infected computers and servers to be rebuilt from scratch. The school district does have an anti-virus solution from Sophos, which in theory can remove the virus; however, the Emotet Trojan has the ability to go dormant making detection and removal difficult, and reinfection can easily occur.

The school district will therefore have to totally rebuild 20 physical and virtual servers. The process is expected to take up to 30 days to complete.

The clean up operation is now underway, and additional policies and been introduced to prevent similar incidents from occurring in the future. Teachers have now been prohibited from downloading third party software onto their computers and the use of portable storage devices has been banned. Instead, Google’s cloud storage service will be used.

The phishing attack highlights just how important it is to provide phishing awareness training to employees in addition to deploying an advanced spam filtering solution to prevent malicious emails from reaching inboxes.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of