Even though ransomware has been around since 1996, it is as present of a threat today as it was two decades ago. The most chilling part is that cyber-attackers are getting better at it.
“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.
Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”
Not only are hackers becoming more refined in their approach, but it seems like they are also exploiting what is arguably the most notable crisis in modern times. I’m talking about the Coronavirus pandemic, of course. And yes, cybercriminals have already found a way to prey on our collective anxiety over it.
The latest ransomware to profit off of our worries is Netwalker. In the following lines, I will present its history thus far, as well as propose a few ways in which you can protect your data from it and similar attacks. So, without further ado, let’s get into it.
What Is Netwalker Ransomware?
Netwalker is a strain of ransomware discovered in September 2019, but its timestamp dates it back to late August. Initially believed to be a threat of the Mailto persuasion, it has since been established that it is an updated version of it. Mailto was discovered by independent cybersecurity researcher and Twitter user GrujaRS.
Data gathered so far indicates that Netwalker ransomware was created by a Russian-speaking group of hackers. This particular faction operates under the Circus Spider moniker.
The concept behind Netwalker is that of Ransomware-as-a-Service (RaaS), which means that Circus Spider provides others with the tools and infrastructure to hold files hostage in return for an affiliate payment. The group posted on dark web Russian forums inviting interested cybercriminals to become associates and spread the malware.
This malicious business model is nothing unheard of, being employed most notably by actors behind the GandCrab ransomware and its updated version Sodinokibi. Affiliates are offered a cut of up to 84% of the payout if the previous week’s earnings exceed $300,000. If the earnings are below this sum, they can still easily gain around 80% of the total value. The remainder of 16-20% goes to the group behind Netwalker. Through this method, those involved earned 25 million dollars in just five months starting with March 1st.
However, joining in comes with its own set of rules. Affiliates are prohibited from going against organizations located in the region of Russia and the Commonwealth of Independent States. What is more, it is stipulated that collaborators must always return the files of the victims who paid the ransom. Nonetheless, this is never a guarantee when it comes to ransomware hackers.
How Does Netwalker Ransomware Operate?
When Netwalker first started gaining traction among affiliates around March 2020, its MO was standard enough. Associates distributed the malware through spam emails that lured victims into clicking on phishing links and infecting the computers in their network. Their focus on mass volume meant that anyone was at a risk to become a target.
This type of ransomware attack is categorized as belonging to a newer class of malware, namely that which spreads through VBScripts. What is nefarious about this technique is that, if successful, it reaches all the machines connected to the same Windows network as the original infection point.
However, as of April 2020, Netwalker ransomware switched its approach up and requested that affiliates do the same. Circus Spider started recruiting experienced network intruders to single out big targets such as private businesses, hospitals, or governmental agencies, rather than individual home users. Attackers gained unauthorized access to the networks of larger organizations by manipulating unpatched VPN appliances, weak Remote Desktop Protocol passwords, or exposed spots in web applications.
After acquiring unlawful entry, Netwalker ransomware then terminates all processes and services running with Windows, encrypts the files on the disk, and deletes backups that are stored in the same network. As a consequence, everything stored on the devices in the victim network is rendered inaccessible.
Attackers gain access to sensitive data, which they then use to blackmail victims into paying a ransom in exchange for their private files to remain private and not be leaked online. Screenshots of the stolen files together with a countdown are published on Netwalker’s public shaming website. Victims are given one week to pay the ransom, and if they fail to do so everything that was on their affected machines is exposed.
According to a Flash Alert issued by the FBI and distributed among potential victims, Telerik UI and Pulse Secure VPN are two of the most common vulnerabilities exploited by attackers attempting to infiltrate an organization’s network and execute Netwalker.
A Brief History of Netwalker Ransomware Attacks
Although Netwalker has been around since the autumn of 2019, its status as a cyber-threat became apparent around March 2020, as previously mentioned. Actors employing the ransomware managed to sneak it into the networks of large organizations even before April’s change in tactics.
Attacks usually target establishments that pertain to the following four categories:
- healthcare providers,
- educational facilities,
- local government,
- and private companies.
In the subsections below, you will find relevant examples detailed for each one.
1. Healthcare Providers
Netwalker ransomware made a name for itself by preying on the fear surrounding the Coronavirus pandemic. Therefore, it comes as no surprise that medical service providers are one of its largest targets.
For instance, the Crozer-Keystone Health System operating in the suburban Philadelphia area reported a ransomware attack mid-June 2020. The provider owns four hospitals, as well as four outpatient centers in Delaware County, Pennsylvania. Rich Lenonowitz, Crozer-Keystone’s Executive Communications and Crisis Communications Director, declined to comment on if and how these units were affected. However, he did declare that the provider’s security team quickly identified the threat and took the necessary measures to mitigate damages.
Sadly, other healthcare providers have been targeted by the Netwalker ransomware since the start of the COVID-19 crisis as well. One example is the Champaign-Urbana Public Health District in Illinois, USA. Its systems were taken offline due to an attack on the 10th of March.
An arguably more serious case is that of Brno University Hospital located in the Czech Republic. The country’s second-largest medical institution was attacked in the middle of the night on March 14th, 2020. This delayed the results of dozens of Coronavirus tests. The attack took place just two days before the president issued nationwide quarantine in the country.
The European healthcare system was also sought out by attackers, as several hospitals in Spain have fallen victim to the ransomware on March 25.
2. Educational Facilities
Several universities from the United States have been affected by Netwalker attacks as well. At the beginning of June, the actors behind the ransomware threat announced that they had attacked three educational institutions and obtained sensitive data such as student names, social security numbers, and financial information.
The affected universities were Michigan State University, Columbia College of Chicago, and the University of California San Francisco. The latter was one of the schools conducting Coronavirus treatment research through clinical trials and antibody testing.
3. Local Government
Unfortunately, local government is not safe from this cyber-threat either. The entire Austrian city of Weiz has also fallen victim to Netwalker ransomware in May of 2020. Hackers illicitly entered the village’s public network with Coronavirus-centric phishing emails. The subject of the messages was set to “information about the coronavirus”.
Public infrastructure employees were thus baited to click on the malicious links included in the email and infect computers in the network. While Weiz is by all means a small town, the production plants of large companies such as construction companies Lieb-Bau-Weiz and Strobl Constructions, and automaker Magna, are located there. The village is considered to be the economic center of the Oststeiermark region of Austria.
Country-wide governmental organizations are not safe from the looming threat of Netwalker either. As the ransomware continues to thrive, Argentina’s official immigration agency, the National Directorate of Immigration (Dirección Nacional de Migraciones), is the latest victim as of August 27th, 2020.
As per a statement issued by the Fiscal Unit Specialized in Cybercrime (Unidad Fiscal Especializada en Ciberdelincuencia), the infection was first noticed around 7 a.m., which led to computer networks being taken offline. This preventive measure was quickly applied in order to stop the ransomware from spreading, but it also led to a four-hour suspension of border crossings. After that, all systems were back online.
4. Private Organizations
Another preferred target for malicious ransomware attacks, Netwalker included, are private organizations, especially those in the transportation sector. Back in February of 2020, Australian company Toll Group was targeted by the ransomware. A leading provider of transportation and logistics services in the Asia Pacific region, the company employs over 44,000 people in 50 countries.
The ransomware attack was deployed on the night of February 2nd. Fortunately, the Toll Group quickly shut down multiple systems to stop its spread. No personal data was reported to have leaked as a result, but customer-facing operations were impacted in Australia, India, and the Philippines.
Come the fall of 2020, and Netwalker ransomware is still wreaking havoc in the global private sector. This time around, hackers targeted K-Electric, Pakistan’s largest private power supplier, and the sole provider of energy for the entire Sindh capital of Karachi. The plant employs over 10,000 people and ensures that the lights stay on for around 2.5 million citizens.
The cyberattack took place on the morning of September 7th and affected the company’s online billing services rather than the power supply per se. As of September 9th, K-Electric is still reportedly struggling to mitigate the damage. The hackers orchestrating the operation demanded a $3.8 million ransom and threatened to raise it to $7.7 million after one week.
How to Protect Your Organization Against Netwalker Ransomware
When crucial data is infected by ransomware, be it Netwalker or any other similar type of threat, organizations might be tempted to just pay the ransom and get it over with. However, I do not recommend doing that because you can never be certain that the attackers will give you back access to your data.
1. Create an Efficient Data Backup Strategy
Hackers who spread ransomware base their whole schtick around holding sensitive data hostage. Having a restorable file archive takes the power away from the attackers and puts it back into your hands. It is thus important to have an offline backup on an external hard drive or another type of storage device, as well as one in the cloud.
However, for this strategy to be truly efficient against Netwalker attacks, you need to understand what type of data your company needs to back up in the first place. Where is business-critical data being held? First, locate the folders that are vital to the smooth running of your operation. Then, ensure that they have priority in the cloud and offline storage process.
2. Routinely Change the Passwords on All Access Points
One way in which Netwalker creeps into the networks of large enterprises is through brute force and remote desktop protocol attacks. With the help of bots, the actors behind these malicious hacks try as many passwords as possible until they hit the spot. This is why weak passwords cannot protect access points.
The most effective way to remedy this in your organization for good might seem too simple to be true. However, I promise it all boils down to frequently changing and strengthening passwords, as well as using two-factor authentication procedures. This is more than common sense Internet user behavior. It’s a failsafe way to prevent ransomware affiliates from controlling computers in your network remotely through RDP.
3. Use a Next-Generation Antivirus for Enhanced Safety
As I said before, hackers are becoming increasingly cunning in their attacks, and Netwalker is proof of that. Therefore, you should, first of all, ensure that your antivirus is up to date. Still, that alone might not cut it these days. Therefore, you should consider equipping your business with a next-generation antivirus.
Our Thor Vigilance Enterprise is an NGAV solution that is user-friendly while at the same time possessing advanced malware detection functionalities. Its neural AI spots and combats both malware and ransomware, as well as viruses and firewall attacks.
4. Regularly Apply Available Software Patches
Installing software patches as soon as they are deployed by their respective developers is vital for your network’s health. Without them, hackers can easily exploit unrepaired system vulnerabilities and infiltrate your machine to execute Netwalker.
To deploy patches automatically and streamline your company’s cybersecurity process even more, we recommend our Thor Foresight Enterprise. Through DNS traffic analysis, this solution identifies incoming threats and prevents potential incidents. It is effective against command and control attacks, as well as malware and ransomware.
Thor Foresight was not only nominated for the position of Anti-Ransomware Solution of the Year at the 2017 Computing Security Awards, but it also won the Anti-Malware Solution of the Year award in 2018 and 2019 at the same convention. Plus, it functions as a complementary tool for any antivirus, including or very own Thor Vigilance.
To get access to our full suite of specialized cybersecurity services, you can also choose Thor Premium Enterprise instead, which combines the functionalities of Vigilance and Foresight in one nifty package.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
5. Look for a Netwalker Ransomware Decryptor
The only 100% reactive thing you can do when confronted with a nasty case of the Netwalker (besides paying the ransom, which again, I do not recommend) is to try a ransomware decryptor. You can do this provided that one has been made available, of course.
As of right now, no Netwalker decryption tool has been published. However, you can check back to our extensive list of ransomware decryption tools once it made its way out in the open. Let’s keep our fingers crossed together and hope that one does come out soon. In the meantime, prevention is your best bet.
To Sum It Up…
It was only a matter of time before hackers started making a profit with Coronavirus-related threats, and it seems that Netwalker is their most notable foray in this direction. While quite a few large institutions have already fallen prey to it, this doesn’t need to happen to you now that information about this threat is available.
As always, being proactive is the best course of action when it comes to ransomware attacks. Waiting for a decryptor might be tempting, as it is the easiest way out, but in the meantime, it is your due diligence to protect your business and its assets from Netwalker, as well as other types of cybersecurity issues.