Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FBI Warns of NetWalker Ransomware Targeting Businesses

The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.

The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.

NetWalker, also known as Mailto, has become a widely known threat following a series of high-profile attacks in March 2020, such as those targeting a transportation and logistics company in Australia, and a public health organization in the United States.

In June, the University of California San Francisco (UCSF) revealed that it paid over $1 million to recover from a ransomware attack. Although it did not say which malware family was used in the incident, the NetWalker ransomware was supposedly responsible for the attack.

“As of June 2020, the FBI has received notifications of NetWalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors,” the FBI’s alert reads.

Starting March, the FBI says, NetWalker’s operators have been leveraging COVID-19-related themes in phishing emails distributing the ransomware. The next month, they began targeting known vulnerabilities in VPN appliances and web apps, as well as Remote Desktop Protocol connections, via brute force attacks.

The threat has been observed targeting vulnerabilities affecting the Pulse Secure VPN (CVE-2019-11510) and Progress Telerik UI (CVE-2019-18935), as well as other security bugs. Various tools are employed post-compromise, to steal credentials and data and to encrypt user files.

“Following a successful intrusion, NetWalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options,” the FBI says.

The threat actor used to upload the stolen data to MEGA.NZ, a service that provides cloud storage and file sharing functionality, but switched to website.dropmefiles.com starting June.

Advertisement. Scroll to continue reading.

Ransomware victims are encouraged to refrain from paying the ransom, as it does not guarantee that data will be recovered, but instead encourages adversaries to target additional organizations and other cybercriminals to engage in ransomware distribution. Victims are also encouraged to report incidents to the FBI.

“Over the past two weeks alone, we’ve seen ransomware take down Garmin, watched Netwalker spread, and experienced another round of attacks on QNAP devices. Despite a long history of documented examples of ransomware, including knowledge of specific tools and defense use cases, organizations continue to fall victim to this type of attack,” AJ Nash, Sr. Director of Cyber Intelligence Strategy at Anomali, told SecurityWeek. “Cybercriminals are not going to get out of the ransomware business anytime soon, it’s simply too cheap and successful a tactic for them to abandon. Organizations can greatly reduce the threats posed by ransomware by doing a few simple things. Make sure you are managing and identifying assets, patching, training, automating where possible, and using intelligence to get ahead of the assaults.”

Organizations are also advised to always keep their data backed up, ensure that copies of critical data are stored securely, use anti-malware software and two-factor authentication, use secure networks, and always make sure that devices within the enterprise environment are up to date.

*Updated with commentary from AJ Nash

Related: UCSF Pays Cybercriminals $1.14 Million After Ransomware Attack

Related: Ransomware Operators Claim They Hacked Printing Giant Xerox

Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...