FBI Publishes a Flash Alert Cautioning of More NetWalker Ransomware Attacks

The Federal Bureau of Investigation (FBI) gave a (TLP:WHITE) FLASH notification this week after seeing a growth in attacks that use the NetWalker ransomware. NetWalker is a somewhat new ransomware threat that was discovered in March 2020 soon after a transportation and logistics organization in Australia and the University of California in, San Francisco suffered attacks. UC San Francisco was pressured to pay out a ransom payment of approximately $1.14 million to acquire the keys to unlock encrypted data files to restore vital research files. One of the latest healthcare victims was Lorien Health Services, a nursing home operator based in Maryland.

The threat team has used the COVID-19 outbreak to execute attacks and has aimed at government institutions, private businesses, educational establishments, healthcare organizations, and entities associated with COVID-19 research.

The threat group used email as attack vector in the beginning. It sent out COVID-19 themed phishing emails with an attachment of a malicious Visual Basic Scripting (.vbs) file. In April, the threat group likewise commenced taking advantage of unpatched vulnerabilities present in Virtual Private Networking (VPN) gadgets for instance the Pulse Secure VPN vulnerability (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).

The threat group is at the same time noted to strike vulnerable user interface elements in web apps. Mimikatz is sent out to swipe credentials, whereas the penetration testing tool PsExec is employed to get access to networks. Prior to file encryption with NetWalker ransomware, sensitive information is identified and exfiltrated to the cloud. At first, information was exfiltrated by means of the MEGA webpage or by setting up the MEGA client app directly on a victim’s personal computer system and recently by means of the dropmefiles.com file-sharing website.

Early this year, the NetWalker threat group began advertisements on hacking community discussion boards hoping to sign up a select group of affiliates that may give access to the sites of good-sized companies. It is uncertain how good the group was able to get affiliates, although attacks were rising in June and July.

The FBI has instructed victims not to make ransom payment and to report to the area FBI field office any attacks. Paying the ransom demand may just embolden attackers to focus on even more companies, persuade other criminal actors to partake in the ransomware attacks, and/or may well create funding for illicit activities. Paying off the ransom additionally won’t assure the recovery of a victim’s data files. Nonetheless, the FBI knows that when firms are met with an inability to work, executives will assess all possibilities to secure their shareholders, personnel, and consumers.”

A selection of different strategies is being employed to get access to systems thus there’s no particular mitigation that could be carried out to avert attacks from becoming successful. The FBI suggests updating all computers, equipment, and programs and implementing patches immediately. Multi-factor authentication ought to be used to avert the usage of stolen credentials to gain access to system. Be sure to use strong passwords to ward off brute force attempts of guessing the passwords. Implement anti-virus/anti-malware software on all hosts and update it and perform regular scans.

To make sure of recovery from an attack without having to pay the ransom, companies need to backup all vital files and hold those backups offline on a non-networked unit or on the web. The backup shouldn’t be available from the system where the data is stored. Preferably, have several backup copies and place each copy in various locations.