$25 Million Extorted by NetWalker Ransomware
During the last 5 months while the COVID pandemic has been affecting businesses everywhere, the ransomware dubbed “NetWalker” has extorted over $25 million from organizations around the world.
Cybersecurity researchers from McAfee reported that between March 1st and July 27th of last year, NetWalker had net 2795 bitcoin, which was valued at USD $25 Million at the time. the researchers discovered the group behind the ransomware attacks by following the bitcoin address controlled by the cyberattackers.
Underground marketplaces of Ransomware-as-a-Service
One of the ways that ransomware cyberattackers to earn money is through the model Ransomware-as-a-service. This allows ransomware developers to earn money from their malware without actually organizing and conducting the attacks themselves.
In this regard, earnings from a ransomware attacks are split between the attacker and the developer.
Origins of NetWalker
NetWalker was first known as Mailto. It was initially detected in August of 2019. Different variants have since been noticed in the wild. Like other ransomware strains, NetWalker encrypts sensitive data behind a ransomware, demanding payment for its safe release. Furthermore, NetWalker attacks often threaten victims to leak stolen data to the public.
However, NetWalker replaces the usual method email communication between cyberattackers and victims with its own NetWalker technical support chat.
How are Victims Infected?
It has been found that NetWalker often gains access to company networks through exploiting vulnerabilities in public-facing applications. This is an application which contains open sockets accessible through the internet. An example of this is Oracle WebLogic Server. Researchers at McAfee and Sophos discovered that outdated Oracle WebLogic Servers were one of the major weak points that was exploited by NetWalker. In a statement, Oracle has responded that critical patch updates released in April 2020 have addressed many of the security vulnerabilities prior discovered. However many organizations remain unprotected due to failing to apply these updates.
McAfee researchers also discovered that insecure RDP connections were another major point of weakness that was exploited by NetWalker attacks. In particular, the attackers targeted legitimate RDP accounts with poor passwords and that had not been protected by multifactor authentication (MFA). Once an attacker gains a foothold in the network through the RDP connection, they can proceed to launch the ransomware attack. Recently, the FBI have also released a statement notifying organizations that NetWalker attacks have been using the COVID-19 pandemic to their advantage to launch an increasing amount of attacks during the increase of VPN connections.
Protecting your Network Environment
Like with many other types of cyberattack, the best way to mitigate the risk of attack is by keeping your devices up-to-date with the latest security patches. In the case of NetWalker, it is especially important to ensure that Oracle WebLogic Servers and VPN connections are kept secure.
Furthermore, it is important to ensure that your company’s RDS accounts are both secured with strong passwords as well as multifactor authentication.
At GIGE Corporation, we have over 30 years of experience managing the IT security of Canadian organizations. Don’t fall victim to NetWalker attacks, call us at +1 888 366 4443 or email us at firstname.lastname@example.org for a consultation.