The FBI has issued a security warning to Netwalker ransomware operators targeting USA but also other countries, advising ransomware victims not to pay the ransom they are asked to report to the FBI. The FBI warning also contains some evidence that a breach related to the Netwalker ransomware, which is also known as "Mailto". In addition, the FBI released a list of measures it recommends that agencies take to mitigate these attacks.
According to the FBI, ransomware operators began targeting U.S. and other organizations in June 2020 after successfully encrypting systems in the network of UCSF Medical School and the Australian transport and logistics company "Toll Group". Toll Group was "hit" again by Nefilim ransomware, as well as Lorien Health Services, earlier this month.
In addition, the FBI notes that Netwalker ransomware operators have benefited from its pandemic COVID-19 in their attacks, managing to endanger a large number of unsuspecting victims in March, through phishing email carrying one Visual Basic Scripting (VBS) loader.
Starting in April 2020, Netwalker ransomware began exploiting vulnerable VPN devices, user interface components in web applications or weak RDP connection passwords, to access their target networks. Two of the most common vulnerabilities exploited by Netwalker operators are concerned the Pulse Secure VPN (CVE-2019-11510) and the Telerik UI (CVE-2019-18935).
The Netwalker ransomware team also recently released an ad in which it stated that it was looking for new partners who could offer it access in large corporate networks.
What mitigation measures is the FBI proposing?
- Organizations can significantly reduce their chances of falling victim to Netwalker ransomware by using multi-factor authentication (MFA) with strong passwords and maintaining updated all devices and software in their networks.
- The FBI also recommends use anti-virus or anti-malware on all network computers, while organizations should use only secure networks and avoid using public networks Wi-Fi. In addition, they should consider installing and using one VPN.
- A very important measure proposed by the FBI is backups stored either on external storage devices or on in cloud, so that it is more difficult or even impossible for would-be intruders to access and encrypt them.
Once Netwalker ransomware administrators have successfully penetrated the network of a compromised target, they will use various malicious tools to collect admin credentials, to steal sensitive information, which they can later use to persuade the target to pay the ransom and encrypt the data on all Windows devices on the network.
The Netwalker ransomware team has uploaded stolen data in the cloud storage and file sharing service, MEGA.NZ (MEGA), by disclosing the data through the MEGA website or by installing the MEGA client application directly on the victim's computer. In addition, in June, the team went from uploading and releasing stolen data to MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.
The FBI advises victims not to pay ransom after such attacks as well this does not guarantee the successful recovery of encrypted devices. However, the FBI understands that when agencies face operational weaknesses, executives will evaluate all options to protect their employees and customers.