FBI Warns of NetWalker Ransomware Targeting Businesses

The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.

NetWalker, also known as Mailto, has become a widely known threat following a series of high-profile attacks in March 2020, such as those targeting a transportation and logistics company in Australia, and a public health organization in the United States.

In June, the University of California San Francisco (UCSF) revealed that it paid over $1 million to recover from a ransomware attack. Although it did not say which malware family was used in the incident, the NetWalker ransomware was supposedly responsible for the attack.

“As of June 2020, the FBI has received notifications of NetWalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors,” the FBI’s alert reads.

Starting March, the FBI says, NetWalker’s operators have been leveraging COVID-19-related themes in phishing emails distributing the ransomware. The next month, they began targeting known vulnerabilities in VPN appliances and web apps, as well as Remote Desktop Protocol connections, via brute force attacks.

The threat has been observed targeting vulnerabilities affecting the Pulse Secure VPN (CVE-2019-11510) and Progress Telerik UI (CVE-2019-18935), as well as other security bugs. Various tools are employed post-compromise, to steal credentials and data and to encrypt user files.

“Following a successful intrusion, NetWalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options,” the FBI says.

The threat actor used to upload the stolen data to MEGA.NZ, a service that provides cloud storage and file sharing functionality, but switched to website.dropmefiles.com starting June.

Ransomware victims are encouraged to refrain from paying the ransom, as it does not guarantee that data will be recovered, but instead encourages adversaries to target additional organizations and other cybercriminals to engage in ransomware distribution. Victims are also encouraged to report incidents to the FBI.

“Over the past two weeks alone, we’ve seen ransomware take down Garmin, watched Netwalker spread, and experienced another round of attacks on QNAP devices. Despite a long history of documented examples of ransomware, including knowledge of specific tools and defense use cases, organizations continue to fall victim to this type of attack,” AJ Nash, Sr. Director of Cyber Intelligence Strategy at Anomali, told SecurityWeek. “Cybercriminals are not going to get out of the ransomware business anytime soon, it’s simply too cheap and successful a tactic for them to abandon. Organizations can greatly reduce the threats posed by ransomware by doing a few simple things. Make sure you are managing and identifying assets, patching, training, automating where possible, and using intelligence to get ahead of the assaults.”

Organizations are also advised to always keep their data backed up, ensure that copies of critical data are stored securely, use anti-malware software and two-factor authentication, use secure networks, and always make sure that devices within the enterprise environment are up to date.

*Updated with commentary from AJ Nash

Related: UCSF Pays Cybercriminals $1.14 Million After Ransomware Attack

Related: Ransomware Operators Claim They Hacked Printing Giant Xerox

Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak