What is Netwalker Ransomware?
Netwalker ransomware is a type of malware that encrypts a victim’s files, deletes backups, and demands payment in exchange for the decryption key. This ransomware typically arrives through a phishing email, often with a COVID-themed message, which contains a malicious attachment or link.
The attackers behind Netwalker extract a copy of the victim’s data before initiating the attack, and a sub-set of this stolen data is published on the dark web. Once the encryption process is complete, the victim receives a ransom note requesting payment in Bitcoin, which must be made using a TOR browser to communicate with the attacker’s C&C server anonymously. The victim then receives the decryption key and can unlock their files.
The impact of Netwalker has already been felt, with one medical research institution paying a $1.14M ransom to protect its compromised data.
Netwalker Targets VPNs
Netwalker initially used mass volume spam emails and phishing links to infect computers in a network. However, in April 2020, they shifted their approach to targeting larger organizations with network intruders gaining unauthorized access through unpatched VPN appliances or weak passwords. The FBI warns that vulnerabilities in Telerik UI and Pulse Secure VPN are commonly exploited by Netwalker to execute its attacks.
Netwalker adopts the RaaS Model
Netwalker now operates under a Ransomware-as-a-Service (RaaS) model. The cybercrime group Circus Spider, which created Netwalker in 2019, recruits affiliates with network experience and fluency in Russian to spread the malware. Affiliates have access to a fully automatic TOR chat panel, adjacent network encryption, instant payouts, and more. This ransomware is used to target a range of industries, with healthcare and education institutions being the most commonly affected. Netwalker also joins the growing list of ransomware groups to exploit the COVID-19 pandemic for their benefit.
Examples of Netwalker Ransomware Attacks
Netwalker affiliates will target a wide range of industries, across a wide range of countries. Some of Netwalker’s most notable victims include:
- The Crozer-Keystone Health System
- Toll Group, an Australian transport company
- California University’s Covid research sector
- The Austrian city of Weiz
- K-Electric, Pakistan’s largest private power utility.
- Argentina’s official immigration agency
In exchange, affiliates can keep as much as 80% of each ransom payment they successfully extort from their victims.
How Does Netwalker Ransomware Work?
Broadly speaking, Netwalker ransomware executes in three main phases:
Phase 1: Infiltration via Phishing
Netwalker ransomware relies on phishing and spear-phishing tactics to gain access to victims’ systems. The attackers will send emails that appear legitimate, tricking recipients into opening attachments or clicking links that contain the malware. For instance, the attackers often use a VBS script called “CORONAVIRUS_COVID-19.vbs” to initiate the ransomware attack.
Phase 2: Encryption and Data Exfiltration
If the script successfully runs on your system, the encryption process will begin. Netwalker ransomware disguises itself as a legitimate Microsoft executable by extracting the code from said executable and injecting its own malicious code into it. This technique is called “process hollowing”, which grants the ransomware ample time to move around within the network undetected while it exfiltrates, encrypts data, removes backups, and creates backdoors without raising any alarms.
Phase 3: Extortion and Payment
After Netwalker completes the exfiltration and encryption of data, the victim becomes aware of a problem upon discovering the ransom note. The standard ransom note from Netwalker explains the situation and outlines what actions are necessary to retrieve the data safely. The Circus Spider group then requires payment in Bitcoin through a TOR browser portal. If the victims meet the requirements, they receive access to the decryption tool to retrieve the data safely. If the victim fails to pay within a specified time-frame, Circus Spider may escalate the ransom amount or release the stolen data on the dark web.
How to Protect Yourself from Netwalker Ransomware
Netwalker ransomware is not much different than other sophisticated strains of ransomware. As such, many of the techniques used to mitigate Netwalker attacks are the same. The first and most obvious defense against ransomware is to ensure that all employees are sufficiently trained to identify phishing emails. Beyond that, you will need to:
Backup all data and store it in a secure location. Ideally, backups should be encrypted, and stored off-line, or at least, off-network.
Disable Remote Desktop Protocol (RDP) if you are not using it. If you really need to use RDP, at least ensure that it is running on a non-standard port.
Setup Software Restriction Policies in Group Policy to help you prevent and control the execution of certain applications, most notably, visual basic scripts and .EXE files.
Ensure that all updates/patched are installed as soon as they become available. Consider using an automated and centralized patch management solution to streamline the process.
Monitor for suspicious inbound and outbound network traffic. Since the attackers will be sending data between the victim’s device and the attacker’s Command & Control (C&C) server, it would be a good idea to adopt a sophisticated Intrusion Prevent System (IPS) or Data Loss Prevention (DLP) solution to identify and block suspicious communication channels in real-time.
Monitor for suspicious file & folder activity, especially activity that involves copying or encrypting a large number of files. There are real-time file auditing software available that can detect and respond to events that match a pre-defined threshold condition. For example, if X number of files have been copied or encrypted within a given time frame, a custom script can be executed which might disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.
While not so relevant for preventing Netwalker ransomware attacks, it is always good practice to ensure that account passwords are strong, unique, and periodically rotated. Use multi-factor authentication whenever possible, and ensure that users are granted the least privileges they need to perform their role.
How can Lepide help to prevent Netwalker Ransomware attacks?
The Lepide Data Security Platform enables companies to adopt a more proactive approach to ransomware detection and response.
Behavior-Based Threat Detection: Lepide can help protect your organization through behavior-based threat detection by alerting you to early signs of compromise at each phase of the kill chain. By building users’ profiles across multiple platforms, Lepide can correlate deviations in email behavior with suspicious logon events, and data access to identify potential threats.
Phishing Detection: Lepide can detect potential phishing attempts by monitoring Microsoft Exchange and Exchange Online mailboxes to detect when a user downloads an attachment or clicks on a link within the body of an email.
Sensitive Data Access Detection: Lepide uses machine learning models to learn how specific users access data regularly and can detect when that user starts to access data in an unusual way. Lepide uses “threshold alerting” to differentiate between manual and automated actions, such as when a script encrypts a certain number of files within a given time-frame. If a user begins to exfiltrate and encrypt files in an abnormal manner, a custom script can be executed to stop the ransomware in its tracks.
Privileged account management: Users can view a summary of all user permissions via an intuitive dashboard. This makes it easier to manage permissions so that users only have access to the data they need to perform their duties, reducing the likelihood of a successful Netwalker Ransomware attack.
Ransomware continues to be a significant challenge for organizations, and they must be vigilant in protecting their systems against attacks. If you’d like to see how the Lepide Data Security Platform can help you detect and prevent ransomware attacks, schedule a demo with one of our engineers.