NetWalker Ransomware Gang Targeting the Healthcare Industry

While some threat groups have stated that they will not attack healthcare organizations on the frontline in the fight against COVID-19, that is certainly not the case for the operators of NetWalker ransomware, who have been actively targeting the healthcare industry during the COVID-19 public health emergency .

Recent research conducted by Advanced Intelligence LLC has revealed the operators of the ransomware have been conducting extensive attacks on healthcare industry targets and operations are now being significantly expanded.

Most ransomware attacks conducted by Russian-speaking threat actors involve large-scale phishing campaigns rather that targeted attacks. NetWalker ransomware has been spread in this manner during the COVID-19 pandemic through spam emails claiming to provide information about SARS-CoV-2 and COVID-19 cases. The emails include a Visual Basic script file attachment named CORONAVIRUS_COVID-19.vbs, which downloads the ransomware from a remote server.

While phishing emails are still being used, the group is now moving into large-scale network infiltration. Representatives of the group have been posting advertisements on top-tier darknet forums announcing a new affiliate program under the ransomware-as-a-service model. While many threat groups are not particularly choosy about who they recruit to spread their ransomware, the NetWalker gang is opting for a quality rather than quantity approach and is only looking to recruit capable affiliates who have or are able to gain access to enterprise networks.

The gang is prioritizing affiliates who already have access to enterprise networks and is looking to work with hackers who have extensive experience who are capable of conducting regular attacks. As is common with Russian threat groups, affiliates are forbidden from attacking Russian or CIS targets.

The group claims it has the ability to exfiltrate data prior to data encryption and files stolen from victims will be published on its blog if the ransom is not paid, as is the case with other manual ransomware groups. The group also states that it will always decrypt files when the ransom is paid.

To attract experienced hackers, the group is offering a high percentage of the ransom payment for the affiliate. Many affiliate programs offer a 30/70 split of ransom payments, with the 70% going to the affiliate. NetWalker is offering 80% of all ransom payments if under $300K, and 84% for payments in excess of $300K. The ransoms demanded by the group so far have been significant, ranging from several hundred thousand dollars to millions.

The group has conducted attacks on several healthcare organizations, including the Champaign-Urbana Public Health District in Illinois in March, along with attacks on other major targets such as Toll Group, an Australian shipping firm, and the Australian customer experience firm Stellar.

The group has been using fileless ransomware according to Trend Micro. Fileless ransomware is not written to the disk and only operates in the memory, which makes it hard for security solutions to identify attacks. Microsoft has warned of attacks on healthcare providers in which the attackers used misconfigured IIS-based applications to deploy the Mimikatz credential-stealing tool, and PsExec to deploy NetWalker.

The change in tactics, techniques and procedures favoring highly targeted attacks, the current affiliate recruitment campaign, and the high percentages offered to affiliates are likely to see NetWalker ransomware become an even bigger threat over the coming months with the group joining other prolific manual ransomware threat groups such as Maze and REvil.

With manual ransomware attacks on healthcare organizations increasing, network defenders should take preemptive measures to reduce risks, such as addressing known vulnerabilities, securing vulnerable internet-facing systems, checking servers and applications for misconfigurations, and monitoring for the use of penetration testing tools, security log tampering, and credential theft activities which could indicate an previous system compromise.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.