This week, the Federal Bureau of Investigation (FBI) released a (TLP:WHITE) FLASH advisory subsequent to a rise in attacks that involve the NetWalker ransomware. NetWalker is a fairly new ransomware risk that was identified in March 2020 right after a transportation and logistics firm in Australia and the University of California in, San Francisco experienced attacks. UC San Francisco was pushed to give a ransom of about $1.14 million to obtain the keys to open encrypted documents to get back important research information. One of the current healthcare victims was Lorien Health Services, a nursing home operator located in Maryland.
The threat group has exploited the COVID-19 crisis to carry out attacks and has focused on government agencies, private firms, educational organizations, healthcare companies, and entities engaged in COVID-19 research.
The threat group at first utilized email as their attack point, delivering COVID-19 inspired phishing emails that contain an attachment, a malicious Visual Basic Scripting (.vbs) file. In April, the threat group additionally began exploiting unpatched vulnerabilities existing in Virtual Private Networking (VPN) devices like the Telerik UI (CVE-2019-18935) and Pulse Secure VPN vulnerability (CVE-2019- 11510).
The threat group is additionally identified to attack insecure user interface parts in web programs. Mimikatz is used to take credentials, while the penetration testing tool PsExec is utilized to obtain access to systems. Before file encryption with NetWalker ransomware, sensitive files are found and exfiltrated online. To begin with, information was exfiltrated through the MEGA site or by putting in the MEGA client program directly on a victim’s personal computer system and lately via the dropmefiles.com file-sharing site.
Early on this year, the NetWalker group initiated promoting on hacking community discussion boards trying to get a particular group of affiliates that can offer access to the systems of big businesses. It is not clear how well the threat group was able to recruit affiliates, however, attacks were escalating all through June and July.
The FBI has cautioned victims never to pay the ransom demand and to tell to the local FBI field office any ransomware attacks. Making ransom payments may only embolden cybercriminals to aim for more businesses, inspire other threat actors to indulge in the distribution of ransomware, and/or might provide for illicit activities. Paying the ransom at the same time doesn’t ensure the restoration of a victim’s data. Nevertheless, the FBI is aware of that when companies are confronted with an inability to perform, executives will examine all alternatives to safeguard their shareholders, workers, and potential clients.”
A variety of different methods are being utilized to obtain access to the network therefore there’s no one mitigation that may be enforced to avoid attacks from succeeding. The FBI advises updating all computers, gadgets, and apps and using patches quickly; using multi-factor authentication to avoid the use of stolen credentials to get access to systems, and establishing strong passwords to combat brute force attacks to figure out passwords. Set up updated anti-virus/anti-malware software on all hosts and conduct routine scans.
To make sure of attack recovery without the need to pay the ransom demand, businesses must backup all important information and keep those backups offline on a non-networked gadget or online. The backup must not be obtainable from the system where the information is located. Essentially, make a few backup copies and keep each copy in various places.