The Federal Bureau of Investigation this week released an alert to warn businesses of ongoing cyberattacks involving the NetWalker ransomware.
NetWalker, also known as Mailto, has become a widely known threat following a series of high-profile attacks in March 2020, such as those targeting a transportation and logistics company in Australia, and a public health organization in the United States.
In June, the University of California San Francisco (UCSF) revealed that it paid over $1 million to recover from a ransomware attack. Although it did not say which malware family was used in the incident, the NetWalker ransomware was supposedly responsible for the attack.
“As of June 2020, the FBI has received notifications of NetWalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors,” the FBI’s alert reads.
Starting March, the FBI says, NetWalker’s operators have been leveraging COVID-19-related themes in phishing emails distributing the ransomware. The next month, they began targeting known vulnerabilities in VPN appliances and web apps, as well as Remote Desktop Protocol connections, via brute force attacks.
The threat has been observed targeting vulnerabilities affecting the Pulse Secure VPN (CVE-2019-11510) and Progress Telerik UI (CVE-2019-18935), as well as other security bugs. Various tools are employed post-compromise, to steal credentials and data and to encrypt user files.
“Following a successful intrusion, NetWalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options,” the FBI says.
The threat actor used to upload the stolen data to MEGA.NZ, a service that provides cloud storage and file sharing functionality, but switched to website.dropmefiles.com starting June.
Ransomware victims are encouraged to refrain from paying the ransom, as it does not guarantee that data will be recovered, but instead encourages adversaries to target additional organizations and other cybercriminals to engage in ransomware distribution. Victims are also encouraged to report incidents to the FBI.
Organizations are advised to always keep their data backed up, ensure that copies of critical data are stored securely, use anti-malware software and two-factor authentication, use secure networks, and always make sure that devices within the enterprise environment are up to date.
Related: UCSF Pays Cybercriminals $1.14 Million to Recover Files After Ransomware Attack
Related: Ransomware Operators Claim They Hacked Printing Giant Xerox
Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak
Tags:
