Protect Your Organization Against Netwalker Ransomware Attacks

Hackers have a long history of stalking the internet using ransomware. The latest attacks prey on one of our biggest worries—COVID-19. Using Netwalker ransomware, hackers are trying to profit off our collective anxiety.

What Is Netwalker Ransomware?

Discovered in September 2019, Netwalker is a strain of ransomware that is a threat of the Mailto variety. The version has since been updated to target end-users using messaging disguised as a COVID-19 brief.

NetWalker targets corporate computer networks, encrypting the files it finds and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. The ransomware was possibly created by a Russian-speaking group of hackers operating under the moniker Circus Spider.

The concept behind Netwalker is ransomware as a service (RaaS), meaning that Circus Spider provides others with the tools and infrastructure to hold files hostage in return for affiliate payment. The group looks for associates to spread the malware on the dark web via forums. It is stipulated that collaborators must always return the files of the victims who have paid the ransom.

This is not an uncommon business model among cybercriminals. Affiliates get a cut of up to 84% of the payout if the previous week’s earnings exceed $300,000. If the earnings are below this sum, they can still easily gain around 80% of the total value. The remainder of 16-20% goes to the group behind Netwalker.

How Does Netwalker Ransomware Operate?

Netwalker hackers have exploited the general public’s interest in information about the COVID-19 pandemic. Phishing emails are sent disguised as information related to COVID-19, but when the recipient opens the attached file, their computers are compromised. Netwalker ransomware has also sent messages pretending to be affiliated with the legitimate password app, Sticky Password, in an attempt to gain access to systems.

The associates’ goal is mass distribution, so anyone can become a victim. The attack falls under a newer class of malware that spreads through VBScripts. If the individual’s machine that was infected is connected to a Windows network, then it reaches all connected machines.

In April 2020, the attackers focused their approach on breaking into networks and gaining access to data. The targets are large organizations such as private businesses, hospitals, and governmental agencies. The way hackers can gain access to these larger organizations is by manipulating unpatched VPN appliances, weak remote desktop protocol passwords, or exposed spots in web applications.

Once the hackers have acquired unlawful entry, the ransomware then terminates all processes and services running with Windows, encrypts the files on the disk, and deletes backups that are stored in the same network. The result is everything stored on the devices within the network is rendered inaccessible.

The hackers then blackmail the victims to pay a ransom for their files. A screenshot of stolen files and a countdown is published on the Netwalker’s website. The victims have a week to pay the ransom. According to a flash alert issued by the FBI, the most vulnerable VPNs are Telerik UI and Pulse Secure VPN.

What Organizations Are the Target of Netwalker Attacks?

Netwalker attacks have been primarily focused on the following four industries: healthcare providers, educational facilities, local government, and private companies. Relevant examples of attacks in these industries can be seen in detail below.

1. Healthcare Providers

In mid-June 2020, Crozer-Keystone Health System, operating in the suburban Philadelphia area, reported a Netwalker ransomware attack. The attack affected four hospitals, as well as four outpatient centers in Delaware County, Pennsylvania.

But Crozer-Keystone Health System wasn’t alone; the most serious case is that of Brno University Hospital in the Czech Republic. The hospital is the country’s second-largest medical institution, and the attack delayed the results of many coronavirus tests.

2. Educational Facilities

At the beginning of June, three American universities were attacked: Michigan State University, Columbia College of Chicago, and the University of California San Francisco. Some of these institutions are currently conducting coronavirus treatment research through clinical trials and antibody testing.

3. Local Government

In May 2020, the Austrian city of Weiz was a victim of Netwalker ransomware. Public infrastructure employees were baited through emails about the coronavirus.

Weiz is a small town; however, the ease of the attack has brought to light how it could easily affect other the government operations of other countries.

4. Private Organizations

Netwalker also targets private organizations. In February 2020, Australian company Toll Group was targeted by the ransomware. The company employs over 44,000 people in 50 countries and is the leading provider of transportation and logistics services in the Asia Pacific region. The Toll Group was able to shut multiple systems to stop the spread of the attack, but customer-facing operations were impacted in Australia, India, and the Philippines.

How to Protect Your Organization Against Netwalker Ransomware

You may be tempted to pay the ransom, but it is not recommended. You do not know if the attackers will give you back your data, and by paying them, it encourages them to continue their attacks. We recommend the following steps to protect your organization:

1. Backup Critical Data to a Secure System

The attackers rely on holding sensitive data hostage. You can limit some of their power by having a restorable file archive. You should back up your files in the cloud, or offline on another type of external drive. If you are currently running your infrastructure in the cloud, you are also adding additional layers of protection on these platforms.

Before you back up all your data and allocate large storage systems, you need to identify what data is business-critical. Locate data that is vital to running the organization and prioritize their backup and access.

2. Change Passwords

Another way Netwalk gains access is through trying as many passwords as possible until the correct one is found. This is why weak passwords are vulnerable spots in the infrastructure. The best solution is relatively easy. Make sure your organization’s passwords are strong and frequently changed.

3. Use a Next-Generation Antivirus for Enhanced Safety

You should ensure that your antivirus is up to date, but as hackers’ attacks get more sophisticated, that might not be enough. You should consider next-generation antivirus that is managed and maintained by a service provider for maximum protection.

4. Regularly Apply Available Software Patches

Do not delay installing software patches. Attackers can exploit unrepaired vulnerabilities and infiltrate your machine.

Ransomware is a lucrative business. Since March 2020, the Netwalker associates have profited $25 million from organizations whose networks were compromised. They have capitalized on the national crisis of COVID-19.

But you can protect your organization through due diligence and addressing any cybersecurity threats and weak spots.

ATSG—Transforming the customer experience through tech-enabled managed services

Today’s choices for mobility, cloud, infrastructure, communications, applications, and operations are mission-critical for small, mid-sized, and large enterprises.

ATSG, Inc., is leading the transformation into technology solutions as a service with our tech-enabled managed services portfolio and a commitment to technology innovation, operational excellence, and client intimacy.

Recognized by industry leaders and industry-leading publications, ATSG has 25 years of operating history delivering exceptional client experiences that directly result in competitive advantage, cost-savings, growth, and improved operational efficiencies.

Visit ATSG.net, email info@atsg.net, call (914) 517-2919, or visit one of our five tri-state locations today for more information.