Getty Images/iStockphoto

FBI Alerts to Rise in Targeted Netwalker Ransomware Attacks

An FBI flash alert warns of a significant increase in targeted Netwalker ransomware attacks on US and foreign health agencies, governments, private companies, and education entities.

Netwalker ransomware attacks are again on the rise, targeting US and foreign health agencies, education entities, private companies, and governments, according to a recent FBI flash alert. Victims were also warned to not pay the ransom demand but to report incidents to the FBI. 

The hacking group has notoriously targeted the healthcare sector throughout the COVID-19 crisis. A report in May showed Netwalker hackers were partnering with other cybercriminals to gain access to enterprise networks through a Ransomware-as-a-Service (RaaS) model. 

Most recently, the University of California San Francisco paid the hackers $1.14 million to unlock several of its School of Medicine servers after an attack. The group was also behind the ransomware attack on the Champaign-Urbana Public Health District in Illinois

According to the alert, Netwalker has continued to use the COVID-19 pandemic to their advantage. In June, the FBI was notified of multiple attacks on those entities and successfully compromising “an increasing number of unsuspecting victims.” 

In the latest attacks, the threat actors gain a foothold onto the network and later encrypt all connected Windows-based devices and data to render critical databases, files, and applications inaccessible. Then, Netwalker will deploy an embedded configuration that includes a ransom note and file names, along with various configuration options. 

Previous attacks used COVID-19 phishing lures able to spread through Visual Basic Scripting (VBS) script that executed when the email was opened by the user. The hackers have also commonly exploited Virtual Private Networks (VPNs), vulnerabilities in web application interface components, and weak credentials used for Remote Desktop Protocol (RDP) connections. 

But most commonly, the hackers exploit known vulnerabilities in Pulse Secure VPNs. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned threat actors were targeting those flaws in April, even if the organization had applied the patch. 

“Once an infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files,” the FBI warned. “In order to encrypt the user files on the victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.” 

“Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ, by uploading data through the MEGA website or by installing the MEGA client application directly on a victim’s computer,” they added. 

The group transitioned from uploading and releasing stolen data on MEGA to another file sharing service in June. Double extortion was first made popular by Maze ransomware hackers, but other attackers – including Netwalker – soon followed suit

The FBI does not encourage victims to pay the ransom, which may embolden cybercriminals to target additional organizations or encourage other hackers to leverage ransomware, as well. Paying the ransom demand also does not guarantee the hackers will unlock the files. 

And notably, some ransomware attacks have been known to cause data loss

The FBI provided organizations with some key mitigations, including backing up critical data offline, ensuring copies of critical data are stored in the cloud or on an external hard drive or storage device. 

Organizations should also secure backups, ensuring data is inaccessible to modification or deletion from the system. Anti-virus or anti-malware software should be installed and regularly updated on all hosts, while organizations should only use secure networks. 

The agency also recommended organizations install and use a VPN, as well as two-factor authentication with strong passwords. Computers, devices, and applications must be routinely patched and kept up-to-date. 

Next Steps

Dig Deeper on Cybersecurity strategies