Netwalker ransomware on the rise – encrypts Windows-based devices and data
The US Federal Bureau of Investigations (FBI) issued a warning about ransomware targeting organizations in the United States and abroad. Netwalker ransomware attacks U.S. and foreign governmental organizations, education entities, private companies, and health agencies. The ransomware attacks and encrypts Windows-based networks rendering critical files, databases, and applications inaccessible.
The University of California, San Francisco (UCSF), which includes their medical school and UCSF Medical Center, as well as their graduate school paid a $1.14 million ransom to recover information related to academic work. Important data was encrypted after NetWalker ransomware crippled the UCSF medical school.
The Threat actors behind Netwalker use tactics such as phishing email campaigns and exploiting security vulnerabilities to cripple computer networks.
Netwalker ransomware was used to attack and encrypt the IT networks of UCSF School of Medicine, the Australian transportation and logistics company Toll Group, and Lorien Health Services in July. The ransomware was first seen in March 202 when it was deployed against Australia’s Toll Group. When successfully deployed it encrypts all Windows-based devices, data, critical files, and databases.
“Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files,” says the FBI bulletin.
What is Ransomware?
Ransomware is any type of malicious computer code used to attack and encrypt files on a computer, device, or IT network. Threat actors that use ransomware typically attack companies, government entities, educational institutions, or any organization with the ability to pay their ransom demands. Ransomware encrypts the infected system and files until the threat actors demands for money are paid.
These cyber attacks are commonly launched by exploiting unpatched security vulnerabilities or with phishing email attacks using information from social engineering. Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935).
How Netwalker Ransomware Attacks
Threat actors used pandemic related messaging sent in phishing emails which contained malicious attachments to targets in March 2020. If the reader opened the email attachment, it launched a malicious Visual Basic Scripting (VBS)script that dropped the malware payload. By April, unpatched Virtual Private Network (VPN) appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections were exploited to infect systems with Netwalker.
Recommended Malware Mitigation
The FBI discourages paying ransom to malware attackers. Paying a ransom to threat actors does not guarantee that a victim’s files will be recovered.
- Download, install, and activate anti-virus and anti-malware software
- Use antivirus anti-malware apps on all devices
- Use two-factor authentication (2FA) or multifactor authentication (MFA) for access to online accounts and connected devices
- Require the use of strong and unique passwords
- Maintain backups of critical data offline with no internet connection
- Copies of critical data should be kept in an external storage
- Secure backups and don’t allow access from live systems
- Keep all computers, devices, and applications patched and updated with the latest security patches