Cyberattacks involving Netwalker ransomware have become much more common, to the point that Netwalker is now one of the biggest ransomware threats of 2020.

Netwalker is a ransomware variant that was previously known as Mailto, which was initially seen a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 began advertising for affiliates to share the ransomware under the ransomware-as-a-service model. As opposed to many RaaS offerings, the threat group is being particularly choosy about who they identify to distribute the ransomware and has been trying to build a select group of affiliates with the ability to carry out network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if targeted.

Netwalker ransomware was implemented in an attack in February on Toll Group, an Australian logistics and transportation firm, which caused widespread disruption although the firm claims not to have paid the ransom. Like many other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to share the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.

Then came attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks growing during in June. The University of California San Francisco, which was carrying out research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to crucial research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker group.

The recent attacks have included a change in the style of attack, suggesting the attacks have been the work of affiliates and the recruitment campaign has been effective. Recent attacks have seen a variety of techniques used in attacks, including brute force attacks on RDP servers, exploitation of flaws in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been carried out exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.

With the ransoms paid to date, the group is now far better funded and appears to have talented affiliates working at distributing the ransomware. Netwalker has now become one of the largest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen before file encryption and threats are issued to publish or sell the data if the ransom is not paid.

The rise in activity and skill of the group at gaining access to enterprise networks prompted the FBI to release a flash alert warning of the risk of attack in late July. The group seems to be focusing on government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to rise.

Securing yourself from the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to obstruct email attacks, end users should be taught how to recognize dangerous emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is vital. All devices should be running the latest software versions.

Antivirus and anti-malware software should be implemented on all devices and kept up to date, and policies requiring strong passwords to be created should be enforced to stop brute force tactics from succeeding. Patched VPNs should be implemented for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed as they become available. Backups should be stored on a non-networked device that is not accessible via the internet to ensure they too are not encrypted in an attack.