Share this article on:
This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving Netwalker ransomware. Netwalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.
The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.
The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).
The threat group is also known to attack insecure user interface components in web applications. Mimikatz is deployed to steal credentials, and the penetration testing tool PsExec is used to gain access to networks. Prior to encrypting files with Netwalker ransomware, sensitive data is located and exfiltrated to cloud services. Initially, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s computer and more recently through the website.dropmefiles.com file sharing service.
Earlier this year, the Netwalker operators started advertising on hacking forums looking to recruit a select group of affiliates that could provide access to the networks of large enterprises. It is unclear how successful the group has been at recruiting affiliates, but attacks have been increasing throughout June and July.
The FBI has advised victims not to pay the ransom and to report any attacks to their local FBI field office. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” explained the FBI in the alert. “Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
A range of different techniques are being used to gain access to networks so there is no single mitigation that can be implemented to prevent attacks from being successful. The FBI recommends keeping all computers, devices, and applications up to date and applying patches promptly. Multi-factor authentication should be implemented to prevent stolen credentials from being used to access systems, and strong passwords should be set to thwart brute force attempts to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be conducted.
To ensure recovery from an attack is possible without paying the ransom, organizations should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data resides. Ideally, create more than one backup copy and store each copy in a different location.