The FBI has issued a Flash Alert following an increase in Netwalker ransomware attacks in the United States. Netwalker ransomware was first identified in March 2020 and was used in an attack on the Australian transportation and logistics company Toll Group. Attacks have also been conducted on an Illinois public health department, a Maryland operator of assisted living facilities, and the University of California, San Francisco. The threat group has been targeting government organizations, healthcare providers, educational institutions, and private companies.
The threat group has taken advantage of the COVID-19 pandemic and initially used phishing emails to infect its victims. In March 2020, attacks were reported that used a .vbs file attachment which executed the ransomware payload when opened. In April 2020, attacks were conducted exploiting vulnerabilities in the Pusle Secure VPN appliance (CVE-2019-11510), as well as the Telerik UI vulnerability CVE-2019-18935. The threat group has also used brute force tactics to guess weak passwords in Remote Desktop Protocol connections. Ransomware is deployed using a malicious PowerShell script embedded with the Netwalker ransomware executable.
Once access to the network has been gained, the group harvests admin credentials and exfiltrates sensitive data, sending files to the online file sharing service website.dropme.com. Once data has been exfiltrated, the ransomware encryption routine is launched and all connected Windows-based devices and data are encrypted.
While the FBI accepts that in some cases payment of the ransom may be the only way of recovering files, the FBI does not encourage payment of ransoms as it encourages further attacks, there is no guarantee that valid keys will be provided to decrypt data, and the ransom payments will likely to be used to fund illicit activities. In the event of an attack, victims should contact their local FBI field office and provide information about the attack, which will allow the FBI to track the attackers and hold them accountable under U.S. law.
Organizations can take steps to improve their defenses against attacks. All software and operating systems should be updated to the latest version and patches should be applied promptly when they are released. Strong passwords should be set, 2-factor authentication should be implemented, and a VPN should be installed and used for all remote connections. The VPN system should also be kept up to date.
It is also important for backups to be regularly made to ensure data can be recovered in the event of an attack. Copies of critical data should be stored on an external hard drive, storage device, or in the cloud, and the backups should not be accessible from the system where the data resides.
The FBI has shared confirmed IoCs in the Flash Alert