What To Do If You Get Ransomware – Emotet, Trickbot, Maze, Ryuk and now Netwalker ransomware – cyber crime has grown exponentially in the last year. Ransomware has become a major problem in companies large and small, public and private, with no sign of letting up. In 2019 alone, attackers extorted up to $11.5 billion from their victims, up from $8 billion in 2018. Experts estimate that the cost of ransomware attacks will increase by almost 100% to $20 billion by 2021. Netwalker (aka Mailto) has raised more than $30 million in ransom since its first significant attack in March. Get a free data risk assessment What is Netwalker Ransomware? Netwalker ransomware is a rapidly growing ransomware, created by the cybercriminal group known as ‘Circus Spider’ in 2019. Circus Spider is one of the newest members of the ‘Mummy Spider’ cybercriminal group. On the surface, Netwalker acts like many other types of ransomware, establishing the first base through phishing emails, followed by extracting and hiding sensitive data to hold a large ransom. Unfortunately, Netwalker does more than just capture victim data. To prove that they are serious, Circus Spider will release a sample of the stolen data online, saying that if the person doesn’t get what they want in time, they will release others into the dark web. Circus Spider retrieves the victim’s private data from the dark web in a password-protected folder and publishes the key online. Netwalker Ransomware adopted the RaaS model In March 2020, Circus Spider decided that they wanted Netwalker to become a household name, so they decided to expand their social network, just like the Maze ransomware team. The shift to the redemption as a service (RaaS) model has allowed them to operate on a larger scale, focus on other groups and increase the size of their offerings. RaaS involves bringing in partners to help cybercriminal groups do bad things. As mentioned above, Netwalker started with a great brand. However, they are still relatively young compared to the leading cloud computing teams… until they adopt the RaaS model. In order to obtain the honor of joining his small group, Circus Spider published a necessary series, or put a criminal mission if you prefer. Their main criteria for partners are: Russian-speaking networking experience (specifically, they do not accept English-speaking people) they will not train reckless employees and permanent opportunities for good intentions proven experience Sodinokibi / REvil ransomware group is looking for special networking partners pic . twitter. com/m3lYN5qk8t — Catalin Cimpanu (@campuscodi) April 19, 2020 … and now, the Netwalker (Mailto) ransomware group is also looking for two special partners in network attacks. The process of ransomware/ransomware attacks is very clear. day Criminals are moving away from spear phishing to target RDP and exposed Internet servers. pic.twitter.com/VKWl9Q0vaa – Catalin Cimpanu (@campuscodi) April 29, 2020 To attract the best prospects, Circus Spider has published a list of features that will be given to its new partners, if selected. These include: A fully automated TOR chat panel Administrator permissions that work on all Windows devices from Windows 2000 to Windows 2000 to the present. Netwalker Ransomware targeted? Since its first sign in March, there has been an increase in Netwalker ransomware attacks, targeting healthcare and educational institutions. They ran one of their worst campaigns against a major university specializing in medical research. This university had sensitive data stolen by ransomware, and to prove they weren’t kidding, the attackers released a sample of the stolen data. This data includes student applications that contain information such as social security numbers and other sensitive data. The breach forced the victim to pay their attackers a ransom of $1.14 million to destroy their data. There has been a big push by Netwalker attackers to take advantage of the COVID-19 crisis by sending phishing emails related to the disease and targeting health facilities that have already been affected by the disease. One of the first healthcare providers to be hit by ransomware took down their site as the public began to turn to them for advice during the pandemic. The attack prompted them to launch a second site and redirect users to the new one, causing distress and confusion for all involved. As the year went on, Netwalker and the ransomware team continued to target healthcare companies, especially as they were less IT departments and focused on other areas of their organization. In addition to health and education, Netwalker targets other industries including: Developing business management solutions Customer experience management Mobility and battery solutions Education and much more How does Netwalker work? Step 1: Phishing and Infiltration Netwalker relies heavily on spear phishing as an infiltration method. As is common for phishing campaigns, Netwalker often sends emails that appear to be sent from legitimate sources to lure victims to its website. Typically, Netwalker will add a VBS script named “CORONAVIRUS_COVID-19.vbs” that will execute the ransomware when you double-click the email or open an attached Word document containing the malicious script. (VBS Script) Step 2: Exfiltration of data and encryption If the script is opened and running in your system, Netwalker has started to publicly log into your network and start counting and encryption. Once on your system, the bootloader will convert itself into a valid checksum, usually in the form of a Microsoft executable. This is achieved by removing the code from the workstation and injecting your own malicious code into it to access the .exe process. This process is known as process space. The execution method gives the ransomware plenty of time to do its work through the network undetected — decrypting and hiding data, deleting backups, and leaving the backlog before anyone notices anything amiss. Step 3: Data extraction and recovery (or death) Once Netwalker finishes data extraction and encryption, the victim will realize that something is wrong and find the dreaded ransom note. The Netwalker ransom note is standard, stating what happened and what to do next if the user wants their data back safely. Circus Spider will also require an amount to be paid in Bitcoins, using the TOR browser portal. (Source) Once your stakeholders comply with your requirements, you give them access to your custom release tool to securely destroy their data. Circus Spider will increase their ransom and/or release some or all of the stolen data on the dark web if they do not meet their demands in time. Below is a diagram of the Netwalker attack method (source) Tips to protect yourself from Netwalker ransomware. Netwalker keeps getting better and harder to defend against, especially as you grow your affiliate network, and you need to take steps to protect yourself. Netwalker did enough damage to attract the attention of the US government, the FBI’s cybercrime unit issued a Flash alert, TLP: White, advising members to be on the lookout for malicious phishing emails related to the virus . The FBI recommends the following mitigation measures: Take critical data offline. Make sure that important data backups are in the cloud or on an external hard drive or storage device. Secure your backups and ensure that the data cannot be accessed for modification or deletion on the system where the data resides. Install and update antivirus or anti-malware software on all hosts. Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN. Use two-factor authentication with a strong password. Keep computers, devices and applications up to date. Netwalker, like other ransomware, exploits vulnerabilities in your systems and infrastructure to take control of users’ computers and entire networks and hold your data until you pay the ransom. While these steps will help minimize the damage caused by ransomware once it infects your system, it’s still just that, mitigation. Doing these steps correctly will help prevent the spread and minimize the damage of the ransomware once it enters your system. But prevention education will be a powerful weapon in the war against Netwalker. Don’t get involved in this phishing trip because Netwalker uses phishing attacks and malicious links and artificial intelligence to infect systems, educate your organization about the dangers of phishing campaigns and what to look for in filtering suspicious emails is important for safety and security. that your data is sensitive. Regular data security training is a good way of prevention and will help your organization recognize the signs of malicious email. Here are some things to check whenever you receive an email asking you to click a link, download a file, or share your credentials. Check the name in the following email section. Check the subject line and body for obvious spelling mistakes. Do not share credentials; Those who send the right message will not be rejected. Do not open attachments or download suspicious links. Report any suspicious email.
How do you get ransomware, what to do when you get ransomware, how to tell if you have ransomware, what to do if you get lice, what to do if you get hacked, what to do if you get fired, what to do if you get phished, what to do if you have ransomware, what to do if you accidentally get pregnant, what happens if you pay ransomware, what to do if you get scammed, what to do if infected with ransomware