Although ransomware has been around since 1996, it is as much of a threat today as it was two decades ago. The scariest part is that cyber attackers are getting better. Not only are hackers getting more refined in their approach, but it seems they are also exploiting what is possibly the most notable crisis of the times and of course that would be the Covid-19 pandemic as does the ransomware that we will see today called Netwalker.
The threat began operating in September 2019, but it was not until March 19, 2020 that the user with the alias Bugatti opened the opportunity to other cybercriminals to join the group as part of a RaaS business model, it was initially believed that it was a threat of Mailto persuasion but of course this was not the case.
The data collected so far indicates that the Netwalker ransomware was created by a group of Russian-speaking hackers. This particular faction operates under the moniker Circus Spider. The concept behind Netwalker is that of Ransomware-as-a-Service (RaaS), which means that Circus Spider provides others with the tools and infrastructure to hold files hostage in exchange for an affiliate payment. The group posted on Russian dark web forums inviting interested cybercriminals to associate and spread the malware.
However, joining comes with its own set of rules. Affiliates are prohibited from going against organizations located in the region of Russia and the Commonwealth of Independent States. In addition, it is stipulated that collaborators must always return the files of the victims who paid the ransom. But sure, this is never a guarantee when it comes to ransomware hackers.
This type of ransomware attack is classified as belonging to a newer class of malware, namely the one that spreads via VBScripts. The nefarious thing about this technique is that, if successful, it reaches all machines connected to the same Windows network as the original point of infection, however, starting in April 2020, the Netwalker ransomware changed its approach and requested that affiliates do the same. Circus Spider began recruiting experienced network intruders to identify large targets, such as private companies, hospitals, or government agencies, rather than individual home users.
Attackers gained unauthorized access to the networks of larger organizations by tampering with unpatched VPN devices, weak Remote Desktop Protocol passwords, or exposed points in web applications. After acquiring illegal entry, Netwalker ransomware terminates all processes and services running under Windows, encrypts files on disk, and deletes backups that are stored on the same network.
According to a Flash alert issued by the FBI and distributed to potential victims, Telerik UI and Pulse Secure VPN are two of the most common vulnerabilities exploited by attackers trying to infiltrate an organization’s network and run Netwalker.
See also:
Vicious Panda – Malware that uses the pandemic
The increase of cyberattacks estimated for this year
[…] Check also:DoppelPaymer – Ransomware targeting industriesNetwalker Ransomware that uses the fear on Covid […]