Cloud Hosting

July 30, 2020 -Netwalkerransomware attacks are again on the rise, targeting US and foreign health agencies, education entities, private companies, and governments, according to a recent FBI flash alert.Victims were also warned to not pay the ransom demand but to report incidents to the FBI.

The hacking group hasnotoriouslytargetedthe healthcare sector throughout the COVID-19 crisis. A reportin MayshowedNetwalkerhackers were partnering with other cybercriminals to gain access to enterprise networks through aRansomware-as-a-Service (RaaS) model.

Most recently, theUniversity of California San Francisco paid the hackers$1.14 millionto unlock several of its School of Medicine servers after an attack. The group wasalso behind the ransomware attack on theChampaign-UrbanaPublic Health District inIllinois.

According to the alert,Netwalkerhas continued to use the COVID-19pandemic to their advantage. In June, the FBI was notified ofmultiple attacks on those entities and successfully compromising an increasing number of unsuspecting victims.

In the latest attacks, the threat actors gain a foothold onto the network and later encryptall connected Windows-based devices and data to render critical databases, files, and applications inaccessible. Then,Netwalkerwill deploy an embedded configuration that includes a ransom noteand file names, along withvarious configuration options.

Previous attacks used COVID-19 phishing lures able to spread through Visual Basic Scripting (VBS) script that executed when the email was opened by the user. The hackers have also commonly exploited Virtual Private Networks (VPNs), vulnerabilities in web application interface components, andweak credentials used for Remote Desktop Protocol (RDP) connections.

But most commonly, the hackersexploit known vulnerabilities in Pulse Secure VPNs.The Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned threat actors were targeting those flawsin April, even if the organization had applied the patch.

Once an infiltrated a network withNetwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files, the FBI warned. In order to encrypt the user files on the victim network, the actors typically launch a malicious PowerShellscript embedded with theNetwalkerransomware executable.

Actors usingNetwalkerhave previously uploaded stolen data to the cloudstorage and file sharing service, MEGA.NZ, by uploading data through the MEGA website or by installing the MEGA client application directly on a victims computer, they added.

The group transitioned from uploading and releasing stolen data on MEGA to another file sharing service in June. Double extortion was first made popular byMazeransomware hackers, but other attackers includingNetwalker soonfollowed suit.

The FBI does not encourage victims to pay the ransom, which may embolden cybercriminals to target additional organizationsor encourage other hackers to leverage ransomware, as well. Paying the ransom demand also does not guarantee the hackers will unlock the files.

And notably, someransomwareattacks have been known to causedata loss.

The FBI provided organizations with some key mitigations, including backing up critical data offline, ensuring copies of critical data are stored in the cloud or on an external hard driveor storage device.

Organizations should also secure backups, ensuring data is inaccessible to modification or deletion from the system. Anti-virus or anti-malware software should be installed and regularly updated on all hosts, while organizations should only use secure networks.

The agency also recommended organizations install and use a VPN, as well as two-factor authentication with strong passwords. Computers, devices, and applications must be routinely patched and keptup-to-date.

Read more:
FBI Alerts to Rise in Targeted Netwalker Ransomware Attacks - HealthITSecurity.com