FBI: COVID-19-Themed Phishing Spreads Netwalker RansomwareAttacks Target Government Agencies and a Variety of Others
The FBI is warning that attacks using a ransomware variant called Netwalker have steadily increased since June, targeting government organizations, educational entities, healthcare firms and private companies in the U.S. and elsewhere.
In a new private industry alert, the FBI notes that the operators behind Netwalker are using COVID-19 themes as a lure to entice victims to open phishing emails that contain malicious attachments.
"Cyber actors using Netwalker have taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims," according to the FBI alert.
Researchers first took notice of Netwalker, also called Mailto, in February after the malware was used to breach Toll Group, an Australian transportation and logistics company (see: Australian Delivery Firm Confirms Ransomware Attack).
In June, Netwalker operators took credit for targeting the University of California San Francisco. The university acknowledged it paid a $1.14 million ransom to obtain decryptor keys to unlock several servers within its school of medicine, although officials never confirmed what strain of ransomware was used in the attack (see: UCSF Med School Pays $1.1 Million Ransom).
Using Coronavirus as a Lure
The FBI alert notes that the operators behind Netwalker are luring victims with pandemic-themed phishing e-mails that contain an attachment with a malicious Visual Basic Scripting, or VBS, script that executes the payload once opened.
"Starting in April, Netwalker began gaining unauthorized access to victim networks by exploiting unpatched virtual private network appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections," the FBI notes.
Encryption and Exfiltration
Once activated, the malware encrypts critical files, databases and applications on connected Windows devices, according to the FBI.
"When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names and various configuration options," according to the FBI.
"In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable."
In addition to encrypting data, Netwalker executes malicious programs that harvest administrator credentials, steal valuable data and encrypt user files, the alert notes.
Two of the most common vulnerabilities exploited by Netwalker are CVE-2019-11510, which is found in Pulse Secure VPN servers, and CVE-2019-18935, which is found in Telerik UI, a toolset used with Windows Presentation Foundation to help build applications.
The FBI notes that the Netwalker operators have posted stolen data from attacks to the MEGA cloud storage and file-sharing service by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim's device. But in June, the ransomware operators started uploading the stolen data to another file-sharing service transitioning away from MEGA, the FBI reports.
The FBI recommends that organizations follow some basic security procedures to prevent intrusions and these types of attacks, including:
- Back up critical data offline;
- Ensure that copies of critical data are stored in the cloud or on an external hard drive;
- Secure back-ups and ensure data is not accessible for modification or deletion;
- Install updated anti-virus software on all devices;
- Use only secure networks and VPNs and avoiding public WiFi networks;
- Use two-factor authentication with strong passwords.
- Keep devices and applications patched.
The FBI alert also urges victims to not pay any ransom and report incidents to the local field office.
"Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” the alert states. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”