This week the Federal Bureau of Investigation issued a warning to notify companies about possible cyberattacks involving the ransomware NetWalker.
After a series of high-profile attacks in March 2020, such as those targeting a transport and logistics firm in Australia and a public health agency in the United States, NetWalker, also known as Mailto, has become widely known.
In June, San Francisco University of California (UCSF) announced it’s paying more than $1 million to recover from a ransomware attack. The NetWalker ransomware was allegedly responsible for the attack, although it didn’t say which malware family was used in the incident.
“As of June 2020, the FBI received alerts from unidentified cyber actors about NetWalker ransomware attacks on U.S. and international governmental organisations, educational institutions , private businesses, and health agencies,” reads the FBI’s warning.
Starting in March, the FBI says, NetWalker ‘s operators used COVID-19-related themes to spread the ransomware in phishing emails. They began targeting known vulnerabilities through brute force attacks in VPN apps and web applications, as well as Remote Desktop Interface connections, the next month.
Targeted vulnerabilities affecting the Pulse Secure VPN (CVE-2019-11510) and Progress Telerik UI (CVE-2019-18935) as well as other security bugs were found. Post-compromise tools are employed to steal passwords and data, and encrypt user files.
“NetWalker encrypts all connected Windows-based devices and data following a successful attack, making sensitive files , databases, and applications inaccessible to users. Netwalker deploys an embedded configuration that contains a ransom note, ransom note file names and numerous configuration options when executed, “says the FBI.
The threat actor used to upload the stolen data to MEGA.NZ, a service that provides support for cloud storage and file sharing but moved to website.dropmefiles.com starting in June.
Ransomware victims are urged to refrain from paying the ransom, as it does not guarantee that data will be recovered but instead allows adversaries to threaten other companies and other cyber criminals to participate in the distribution of ransomware. Additionally, victims are encouraged to report accidents to the FBI.
Organizations are advised to keep their data backed up at all times, ensure that critical data copies are stored securely, use anti-malware software and two-factor authentication, use secure networks and always ensure all devices are up-to – date within the enterprise environment.