The Federal Bureau of Investigation (FBI) has released a (TLP:WHITE) FLASH alert following a rise in attacks using Netwalker ransomware. Netwalker is a new threat on the ransomware scene, first spotted in March 2020 after attacks on a transportation and logistics company in Australia and the University of California, San Francisco.
UC San Francisco was put in a position where it had no option other than to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover important research data. One of the latest healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.
The threat group has tried to leverage the COVID-19 pandemic to carry out attacks on government firms, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.
The threat group at first implemented email as their attack vector, sending phishing emails included malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started targeting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).
The threat group is also renowned for focusing on insecure user interface components in web applications. Mimikatz is deployed to steal details, and the penetration testing tool PsExec is used to gain access to networks. Before encrypting files with Netwalker ransomware, sensitive data is sought and removed to cloud services. At first, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s workstation and more recently through the website.dropmefiles.com file sharing service.
Earlier in 2020, the Netwalker operators began advertising on hacking forums looking to bring on board a select group of affiliates that could supply access for the networks of large enterprises. It is not known how successful the group has been at recruiting affiliates, but attacks have been on the rise throughout June and July.
The FBI has issued guidance advising victims not to pay the ransom and to make any attacks known to their local FBI field office. In the alert the FBI explained: “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
A variety of different techniques are being implemented to obtain access to networks so there is no single mitigation that can be implemented to stop attacks from being successful. The FBI recommends ensuring that all computers, devices, and applications up to date and applying patches swiftly. Multi-factor authentication should be put in place to stop stolen credentials from being used to log on to systems, and strong passwords should be set to thwart brute force attacks to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be carried out.
To make sure that recovery from an attack can take place without paying the ransom, groups should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data is located. In an ideal scenario you would have created more than one backup copy and store each copy in a different place.