With the high ransom prices and big payouts of enterprise-targeting ransomware, we now have another ransomware known as Mailto or Netwalker that is compromising enterprise networks and encrypting all of the Windows devices connected to it.
Mailto (NetWalker) Ransomware Targets Enterprise Networks
When encrypting files, the Mailto ransomware will append an extension using the format .mailto[mail1].id. For example, a file named 1.doc will be encrypted and renamed to 1.doc.mailto[sevenoneone@cock.li].77d8b as seen below.
Ransomware is not just a threat--it's a criminal enterprise. The more cybercriminals successfully extort organizations, the more profits cybercriminals rake in from their efforts. Enter Ransomware as a Service (RaaS), where threats like Netwalker ransomware are not launched by their developers, but by any cybercriminal who wants to purchase the malware and launch their own attack.
Netwalker ransomware targets a variety of organizations, ranging from manufacturing companies and healthcare providers in the United States to Argentina's Immigration Agency and power utility companies in Pakistan.
The targets of NetWalker belong to various sectors, among them educational facilities, local government, healthcare providers, and private companies. In June of 2020, three US universities were targeted with the ransomware: the University of California San Francisco, Michigan State University, and Columbia College of Chicago.
First discovered in August 2019, NetWalker was initially called Mailto ransomware because it appended this extension to the files that it encrypted. It was later discovered through the analysis of one of its decryptors that the ransomware is called NetWalker. The ransomware is capable of compromising enterprise networks and encrypting the Windows devices connected to a compromised network. Its payload contains an embedded configuration which upon execution includes ransom notes and files along with other configuration options. So far, it has been evaluated that the NetWalker ransomware first originated from Russia, having been created by a Russian-speaking group of hackers.
Since Ransomware was created to acquire a ransom payment from the compromised networks, it can be said that the motivation behind NetWalker infections is financial gain. Recently, most ransomware have been going overboard with this financial motivation and have been exposing confidential data of victims online when they fail to acquire the ransom payment.
Their advertisements on a popular Russian-language forum exploit.in from March 19, 2020 reveal that the actor is looking for potential partners having persistent access to valuable networks with demonstrated ability of successful network intrusions. In order to lure competent partners, they offer different revenue-sharing options as well. They offer different percentages of revenues to affiliates depending on the total amount generated by the ransomware attacks. From what their advertisement posts reveal, the operators are offering following profit percentages to partners:
Since 2019, NetWalker ransomware has reached a vast number of different targets, mostly based in western European countries and the US. Since the end of 2019, the NetWalker gang has indicated a preference for larger organisations rather than individuals. During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals will not be targeted; whether they keep to their word remains to be seen.
Bugatti provides regular updates on the improvements in the ransomware, such as the popular Invoke-ReflectivePEInjection method, also commonly used by Sodinokibi. In addition to the improvements in the ransomware, open slots for new affiliates are advertised. Bugatti strongly emphasized that they are primarily looking for experienced affiliates that focus on compromising the complete networks of organizations as opposed to end users. NetWalker is clearly following in the footsteps of its illustrious targeted ransomware peers like Sodinokibi, Maze and Ryuk.
NetWalker targets corporate computer networks, encrypting the files it finds and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. The ransomware was possibly created by a Russian-speaking group of hackers operating under the moniker Circus Spider.
In April 2020, the attackers focused their approach on breaking into networks and gaining access to data. The targets are large organizations such as private businesses, hospitals, and governmental agencies. The way hackers can gain access to these larger organizations is by manipulating unpatched VPN appliances, weak remote desktop protocol passwords, or exposed spots in web applications.
Netwalker also targets private organizations. In February 2020, Australian company Toll Group was targeted by the ransomware. The company employs over 44,000 people in 50 countries and is the leading provider of transportation and logistics services in the Asia Pacific region. The Toll Group was able to shut multiple systems to stop the spread of the attack, but customer-facing operations were impacted in Australia, India, and the Philippines.
Netwalker is a type of ransomware that targets Windows-based systems. First discovered in August 2019, it has evolved throughout the rest of 2019 and into 2020. The FBI noted significant spikes in NetWalker targeted attacks during the height of the Covid-19 pandemic.
However, as of April 2020, Netwalker ransomware switched its approach up and requested that affiliates do the same. Circus Spider started recruiting experienced network intruders to single out big targets such as private businesses, hospitals, or governmental agencies, rather than individual home users. Attackers gained unauthorized access to the networks of larger organizations by manipulating unpatched VPN appliances, weak Remote Desktop Protocol passwords, or exposed spots in web applications.
Netwalker ransomware made a name for itself by preying on the fear surrounding the Coronavirus pandemic. Therefore, it comes as no surprise that medical service providers are one of its largest targets.
As per a statement issued by the Fiscal Unit Specialized in Cybercrime (Unidad Fiscal Especializada en Ciberdelincuencia), the infection was first noticed around 7 a.m., which led to computer networks being taken offline. This preventive measure was quickly applied in order to stop the ransomware from spreading, but it also led to a four-hour suspension of border crossings. After that, all systems were back online.
Update 6 February 2020 - Developers of Mailto (NetWalker) ransomware have recently started targeting various enterprise networks in order to generate large revenues. Companies are likely to have more valuable files and data than regular users.
As we previously mentioned, one of the main targets was Health Care Organizations. The NetWalker ransomware was, and is, commonly spread in two ways. One is via VBScript, attached to Coronavirus phishing emails. This method executes the payload of the ransomware when double-clicked or when opening documents containing the VBScript. Another common way NetWalker ransomware is spread is through an executable file spread on the networkCommon tools used by NetWalker Affiliates are Mimikatz, PSTools, AnyDesk, TeamViewer, and NLBrute.
NetWalker ransomware has had many targets already, so Logpoint has made a static list of hashes used in previous NetWalker attacks. As seen below, using a static list to detect NetWalker may be done. For this Alert to work, you must have the NETWALKER_HASHES list in your Logpoint solution.
Ransomware criminals are as varied as their approaches and targets. However, what remains consistent about ransomware is that small and medium businesses are the target of the bulk of attacks, because they lack the depth of security infrastructure that larger organizations have, making them easier targets.
Ransomware depends not on the complexity of its code, but the vulnerabilities of its targets. At its core, ransomware is a worm looking for a hole. Preparation for a near-inevitable ransomware attack helps to prevent the malware from breaching systems and closing holes.
More sophisticated ransomware attacks take advantage of backdoors or vulnerabilities in systems and networks. Attackers probe targets to find weaknesses in security systems, such as lapsed patches and updates, gaps in the configuration of security tools, and non-secure remote users.
July 2013 - Svpeng: This mobile Trojan targets Android devices. It was discovered by Kaspersky in July 2013 and originally designed to steal payment card information from Russian bank customers. In early 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days.
July 2015 - An Eastern European cybercrime gang has started a new TorrentLocker campaign where whole websites of energy companies, government organizations and large enterprises are being scraped and rebuilt from scratch to spread ransomware using Google Drive and Yandex Disk.
July 2015 - Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types. 2ff7e9595c
Opmerkingen