Security Experts:

Connect with us

Hi, what are you looking for?



FBI Warns of NetWalker Ransomware Targeting Businesses

The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.

The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.

NetWalker, also known as Mailto, has become a widely known threat following a series of high-profile attacks in March 2020, such as those targeting a transportation and logistics company in Australia, and a public health organization in the United States.

In June, the University of California San Francisco (UCSF) revealed that it paid over $1 million to recover from a ransomware attack. Although it did not say which malware family was used in the incident, the NetWalker ransomware was supposedly responsible for the attack.

“As of June 2020, the FBI has received notifications of NetWalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors,” the FBI’s alert reads.

Starting March, the FBI says, NetWalker’s operators have been leveraging COVID-19-related themes in phishing emails distributing the ransomware. The next month, they began targeting known vulnerabilities in VPN appliances and web apps, as well as Remote Desktop Protocol connections, via brute force attacks.

The threat has been observed targeting vulnerabilities affecting the Pulse Secure VPN (CVE-2019-11510) and Progress Telerik UI (CVE-2019-18935), as well as other security bugs. Various tools are employed post-compromise, to steal credentials and data and to encrypt user files.

“Following a successful intrusion, NetWalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options,” the FBI says.

The threat actor used to upload the stolen data to MEGA.NZ, a service that provides cloud storage and file sharing functionality, but switched to starting June.

Ransomware victims are encouraged to refrain from paying the ransom, as it does not guarantee that data will be recovered, but instead encourages adversaries to target additional organizations and other cybercriminals to engage in ransomware distribution. Victims are also encouraged to report incidents to the FBI.

“Over the past two weeks alone, we’ve seen ransomware take down Garmin, watched Netwalker spread, and experienced another round of attacks on QNAP devices. Despite a long history of documented examples of ransomware, including knowledge of specific tools and defense use cases, organizations continue to fall victim to this type of attack,” AJ Nash, Sr. Director of Cyber Intelligence Strategy at Anomali, told SecurityWeek. “Cybercriminals are not going to get out of the ransomware business anytime soon, it’s simply too cheap and successful a tactic for them to abandon. Organizations can greatly reduce the threats posed by ransomware by doing a few simple things. Make sure you are managing and identifying assets, patching, training, automating where possible, and using intelligence to get ahead of the assaults.”

Organizations are also advised to always keep their data backed up, ensure that copies of critical data are stored securely, use anti-malware software and two-factor authentication, use secure networks, and always make sure that devices within the enterprise environment are up to date.

*Updated with commentary from AJ Nash

Related: UCSF Pays Cybercriminals $1.14 Million After Ransomware Attack

Related: Ransomware Operators Claim They Hacked Printing Giant Xerox

Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.