The FBI has issued a security alert about Netwalker ransomware operators targeting U.S. and foreign government organizations, advising their victims not to pay the ransom and reporting incidents to their local FBI field offices.
FBI’s flash alert also provides indicators of compromise associated with the Netwalker ransomware (also known as Mailto) and includes a list of recommended mitigation measures.
According to the FBI, the operators behind this ransomware strain began targeting U.S. and foreign government orgs starting with June 2020, after Netwalker operators successfully encrypted systems on the network of UCSF School of Medicine, the Australian transportation and logistics company Toll Group (three months later, Toll Group got hit again by Nefilim Ransomware), and Lorien Health Services earlier this month.
Exploiting pandemic fears and software vulnerabilities
The FBI says that the Netwalker actors have also taken advantage of the ongoing COVID-19 pandemic in their attacks “to compromise an increasing number of unsuspecting victims” in March, via phishing e-mails delivering a Visual Basic Scripting (VBS) loader.
Starting with April 2020, Netwalker began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.
“Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935),” the FBI says.
The Netwalker ransomware-as-a-service (RaaS) operation has also recently advertised that they were looking for new collaborators that can provide them with access to large enterprise networks.
Recommended mitigation measures
Organizations can drastically lower the chances of becoming a Netwalker victim by using multi-factor authentication (MFA) with strong passwords and keeping all devices and software on their networks up to date.
The FBI also advises using anti-virus or anti-malware solutions on all network hosts, only connecting through secure networks via a VPN (where possible).
Critical should be backed up offline, with copies stored either on external storage devices or in the cloud to make it harder or impossible for the attackers to gain access and encrypt them.
The full list of recommended mitigations includes:
• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
• Install and regularly update anti-virus or anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
• Use two-factor authentication with strong passwords.
• Keep computers, devices, and applications patched and up-to-date.
Data exfiltration via file-sharing services
Once Netwalker operators successfully infiltrate the network of a compromised target, they will use various malicious tool to collect admin credentials, to steal sensitive information later to be used as leverage to convince the target to pay the ransoms, and to encrypt the data on all Windows devices on the network.
“Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer.
“In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.”
The FBI advises victims not to pay ransoms after such attacks since this doesn’t guarantee the successful restoration of encrypted devices.
“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the agency adds.
The federal law enforcement agency also urges victims to report ransomware incidents to help investigators track the attackers and to prevent future attacks.