As with most strains of ransomware, Netwalker targets devices running Microsoft Windows, and after the victim’s files have been encrypted, the attackers will ask for a payment in bitcoin in order to release the decryption key.
Netwalker employs the “double-extortion” technique, which is where the attackers extract a copy of the victim’s data before initiating the attack. They then publish a sample of the stolen data on the dark web, as proof of the breach.
Behind Netwalker ransomware is a Russian-based hacking group called Circus Spider, who, as of March 2020, operate a Ransomware-as-a-Service (RaaS) platform. Even-though RaaS platforms are generally designed to enable novice hackers to launch their own ransomware attacks, in the case of Netwalker, the affiliates should have extensive hacking experience, and be fluent in Russian.
In exchange, affiliates can keep as much as 80% of each ransom payment they successfully extort from their victims.
How Does Netwalker Ransomware Work?
Netwalker ransomware typically arrives in the form of a malicious email attachment, which in this case, is a visual basic script. However, newer versions of Netwalker also target exposed Remote Desktop Protocol (RDP) ports in order to gain access to the victim’s network.
The phishing emails appear to come from legitimate sources, and usually have a COVID theme in order to scare the victims into clicking on a link or downloading an attachment. As mentioned, the attackers will first extract a copy of the victim’s data before initiating the attack, and a sub-set of the stolen data is published on the dark web.
Once the encryption process has finalized, the victim will be presented with a ransom note, stored in the form of a TXT file, requesting a payment in bitcoin. The victim is instructed to make the payment using a TOR browser, which allows for anonymous communication between the victim and the attacker’s C&C server. Once the payment has been made, the victim will receive the decryption key, thus allowing them to unlock their files.
Examples of Netwalker Ransomware Attacks
Netwalker affiliates will target a wide range of industries, across a wide range of countries. Some of Netwalker’s most notable victims include:
- The Crozer-Keystone Health System
- Toll Group, an Australian transport company
- California University’s Covid research sector
- The Austrian city of Weiz
- K-Electric, Pakistan’s largest private power utility.
- Argentina’s official immigration agency
How to Protect Yourself from Netwalker Ransomware
Netwalker ransomware is not much different than other sophisticated strains of ransomware. As such, many of the techniques used to mitigate Netwalker attacks are the same. The first and most obvious defense against ransomware is to ensure that all employees are sufficiently trained to identify phishing emails. Beyond that, you will need to:
Backup all data and store it in a secure location. Ideally, backups should be encrypted, and stored off-line, or at least, off-network.
Disable Remote Desktop Protocol (RDP) if you are not using it. If you really need to use RDP, at least ensure that it is running on a non-standard port.
Setup Software Restriction Policies in Group Policy to help you prevent and control the execution of certain applications, most notably, visual basic scripts and .EXE files.
Ensure that all updates/patched are installed as soon as they become available. Consider using an automated and centralized patch management solution to streamline the process.
Monitor for suspicious inbound and outbound network traffic. Since the attackers will be sending data between the victim’s device and the attacker’s Command & Control (C&C) server, it would be a good idea to adopt a sophisticated Intrusion Prevent System (IPS) or Data Loss Prevention (DLP) solution to identify and block suspicious communication channels in real-time.
Monitor for suspicious file & folder activity, especially activity that involves copying or encrypting a large number of files. There are real-time file auditing software available that can detect and respond to events that match a pre-defined threshold condition. For example, if X number of files have been copied or encrypted within a given time frame, a custom script can be executed which might disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.
While not so relevant for preventing Netwalker ransomware attacks, it is always good practice to ensure that account passwords are strong, unique, and periodically rotated. Use multi-factor authentication whenever possible, and ensure that users are granted the least privileges they need to perform their role.
If you’d like to see how the Lepide Data Security Platform can help you detect and prevent ransomware attacks, schedule a demo with one of our engineers or start your free trial today.