Cybercrime has grown exponentially in 2020: ransomware Emotet, Trickbot, Maze, Ryuk, and now Netwalker have become a major problem in all industries, large and small, public and private, and there is no reason to believe that this trend will wane.
In 2019, cybercriminals extorted about $ 11.5 billion from their victims . For comparison, in 2018 this figure was 8 billion. Experts estimate that losses from ransomware attacks will grow by almost 100% by 2021 to reach $ 20 billion. Since its first attacks in March 2020, Netwalker, also known as Mailto, has allowed attackers to ransom more than $ 30 million.
What is Netwalker ransomware?
Netwalker is a rapidly growing ransomware program created in 2019 by a cybercriminal group known as the Circus Spider. Circus Spider is one of the new members of the larger Mummy Spider group . At first glance, Netwalker acts like most other ransomware flavors: it infiltrates the system through phishing emails, extracts and encrypts sensitive data, and then holds it for ransom.
Alas, Netwalker is capable of more than just keeping captured data hostage. To demonstrate its seriousness, Circus Spider publishes a sample of the stolen data on the Internet, stating that if the victim does not comply with their requirements in time, then the rest of the data will go to the darknet. Circus Spider posts sensitive victim data on the darknet in a password-protected folder and publishes the password on the Internet.
Netwalker ransomware uses the ransomware as a service (RaaS) model.
In March 2020, members of Circus Spider decided to make Netwalker a household name. They expanded their affiliate network in a similar way to the group of criminals behind Maze. Ransomware-as-a-service (RaaS) migrationallowed them to scale up significantly, target more organizations, and increase the buyouts they received.
The RaaS model includes the recruitment of assistants to assist in the execution of criminal plans. As mentioned above, Netwalker was starting to gain traction and already had a number of big results. However, compared to other large groups of ransomware, they remained small ... until they switched to the RaaS model .
To earn the "honor" of joining their small criminal group, the Circus Spider posted a specific set of criteria required - a kind of criminal vacancy, if you will.
Their main criteria when choosing "assistants":
- experience with networks;
- fluency in Russian (they do not accept English speakers);
- they do not educate inexperienced users;
- having constant access to goals that are of value to them;
- evidence of experience.
To attract as many potential supporters as possible, Circus Spider has published a list of opportunities that their new partners will have access to.
They include:
- fully automatic TOR chat panel;
- observer rights;
- support for all Windows devices starting from Windows 2000;
- fast multithreaded blocker;
- fast and flexible blocker settings;
- access to unlocking processes;
- encryption of the adjacent network;
- Unique PowerShell assemblies to make it easier to work with antivirus software;
- instant payments.
Who and what is the Netwalker ransomware targeting?
Since the first major result in March 2020, there has been a surge in Netwalker ransomware attacks. First of all, its goals were healthcare and educational institutions. They conducted one of their most publicly reported campaigns against a major universityspecializing in medical research. The ransomware stole the confidential data of this university, and to show that it was serious, the attackers made a sample of the stolen data publicly available. This data included student apps containing information such as social security numbers and other sensitive data. This violation resulted in the university paying the attackers a ransom of $ 1.14 million to decrypt their data.
The attackers behind Netwalker have made a serious attempt to capitalize on the chaos of the coronavirus epidemic. They sent out phishing emails about the pandemic, targeting healthcare facilities that were already overwhelmed by those affected by the pandemic. The site is one of the first healthcare victims were blocked by ransomware just as people began to turn to them for advice during the pandemic. This attack forced them to launch a second site and direct users to a new one, causing concern and confusion among all involved. Throughout the year, Netwalker and other ransomware groups continued to attack healthcare facilities , taking advantage of their lack of security focus.
In addition to healthcare and education, Netwalker attacks organizations in other industries, including:
- production;
- business management;
- customer experience and service quality management;
- electric vehicles and solutions for electricity storage;
- education;
- and many others.
How does Netwalker work?
Step 1: phishing and infiltration
Netwalker relies heavily on phishing and spear phishing as infiltration methods . Compared to other ransomware, Netwalker's phishing emails are frequent. These emails look legitimate and easily mislead victims. Typically, Netwalker attaches a VBS script named CORONAVIRUS_COVID-19.vbs that launches the ransomware if the recipient opens an attached text document with a malicious script.
Step 2: exfiltrate and encrypt data
If the script opens and runs on your system, then Netwalker has begun to infiltrate your network. From this moment, the countdown begins until encryption. Once on the system, the ransomware becomes an unsuspecting process, usually in the form of a Microsoft executable. It does this by stripping code from the executable and injecting its own malicious code into it to access process.exe. This technique is known as Process Hollowing . It gives the ransomware the ability to stay online long enough to extract and encrypt data, delete backups, and create loopholes in case someone notices something is wrong.
Step 3: extortion and recovery (or loss) of data
Once the Netwalker finishes exfiltering and encrypting the data, the victim discovers that the data has been stolen and finds a ransom note. The Netwalker ransom note is relatively standard: it explains what happened and what the user should do if they want their data back safe and sound. Circus Spider will then require a certain amount of money to pay in Bitcoin using the TOR browser portal.
( Source )
Once the victim meets the requirements, they gain access to their individual decryption tool and can safely decrypt their data.
If the victim does not comply with the requirements in time, the attackers will increase the ransom or publish all or part of the stolen data on the darknet.
Below is a diagram of a specific Netwalker attack path.
( Source )
Tips for protecting against Netwalker ransomware
The Netwalker is becoming more sophisticated and more difficult to defend against. This is primarily due to the growth of their network of "assistants".
We recommend the following simple mitigation procedures:
- Back up important data to local data storage;
- Ensure that copies of critical data are stored in the cloud, on an external hard drive or storage device;
- , , ;
- ;
- Wi-Fi. VPN;
- ;
- , . Netwalker, -, , , , .
While these procedures will help mitigate the damage done by the ransomware after infecting your system, it is still only mitigating the damage. Performing these procedures proactively will help prevent the spread and reduce the damage from ransomware once it has entered your system. Informing and training employees in the basics of information security will be a powerful tool in the fight against Netwalker.
Don't fall for phishing tricks
Since Netwalker primarily infects systems by sending out phishing emails with malicious links and executable files, informing your organization about the dangers of phishing emails and what to look out for to filter out suspicious emails is a must to protect your sensitive data.
Mandatory regular training in the basics of information security is a great prevention tool to help your organization identify signs of malicious emails. Here's what to look out for every time you receive an email asking you to click on a link, download a file, or share your credentials:
- carefully check the name and domain from which the email is being sent;
- check for obvious spelling errors in the subject and body of the message;
- do not provide your credentials - legitimate senders will never ask for them;
- do not open attachments or download suspicious links;
- report suspicious emails to your information security team.
We also recommend running simulated attacks . Sending fake phishing emails to people in your organization is a great way to gauge the effectiveness of your security training and determine who might need more help with this. Track user engagement metrics to see who is interacting with any links or attachments, issuing their credentials, or reporting it to the responsible service in your organization.
Use threat detection systems based on behavioral analysis
Training your organization to recognize and respond to phishing attacks associated with ransomware is a great help in protecting your sensitive data. However, early threat detection based on behavioral analysis will help limit your vulnerability to the destructive effects of ransomware.
If a compromised user account begins to gain access to sensitive data, behavioral threat detection will immediately recognize and notify you. For example, Varonis uses several behaviors to find out how certain users typically access data. This allows you to determine when the nature of user access to data or the amount of data begins to differ from usual. Varonis distinguishes between manual and automatic actions and catches if the user starts moving or encrypting files in an unusual way, stopping the ransomware from the very beginning. Many of our customers automate the response to this behavior by disconnecting their account and terminating active connections.
It is also important to continuously monitor file system activity in order to recognize in time when ransomware is saving known infiltration tools to disk (a common Netwalker tactic ), or when a user searches file shares for files with passwords or other sensitive data.
Any user account usually has access to much more data than is necessary, so these searches are often fruitful. Read below how to mitigate these risks.
Move to the Zero Trust model
Correct detection is an important step in protecting your organization from ransomware. However, it is equally important to create such conditions that even if the ransomware goes unnoticed for initial detection, its damage will be minimal. Organizations can do this by minimizing the data they expose. Thus, the amount of data that can be encrypted or stolen will be limited.
If you suspect that you are a victim of Netwalker ransomware, search for all file accesses and changes made by any user over any period of time to pinpoint the affected files and restore the correct versions. You can also contact the Varonis Incident Response Service and we will help you investigate the incident free of charge.