NetWalker Ransomware Gang Attacks on the Healthcare Industry

Although a number of threat groups have mentioned that they are not going to attack healthcare institutions on the frontline responding to the COVID-19 crisis, that definitely does not apply to the NetWalker ransomware operators.

The latest research performed by Advanced Intelligence LLC showed that the operators of the ransomware are extensively attacking healthcare industry targets and expanding their operations.

The majority of ransomware attacks done by Russian-speaking threat actors use massive phishing campaigns instead of targeted attacks. The NetWalker ransomware has spread all through the COVID-19 pandemic by means of spam emails making claims to give details about cases of SARS-CoV-2 and COVID-19. The emails have an attached Visual Basic script file named as CORONAVIRUS_COVID-19.vbs, which retrieves the ransomware from a remote server.

Although still using phishing emails, the group now engages in massive network infiltration. The group’s representatives are posting ads on top-tier darknet forums about a different affiliate program with the ransomware-as-a-service model. Though a lot of threat groups are not notably choosy concerning who they get to spread their ransomware, the NetWalker gang is looking out for quality instead of quantity approach and is merely wanting to get competent affiliates who have or can access business networks.

The gang chooses first affiliates who previously have access to business networks and hackers who have got substantial experience in executing regular attacks. Just like Russian threat groups, affiliates are banned from targeting Russia or the CIS.

The group states it could exfiltrate information before data encryption and the information stolen from victims will be posted on its blog when no ransom is paid, just like with other ransomware groups. The group additionally says that it always decrypt files after receiving ransom payment.

To entice seasoned hackers, the group is giving a high proportion of the ransom payment to affiliates. A lot of affiliate programs have a 30/70 sharing of ransom payments, with the affiliate getting 70%. NetWalker is giving 80% of ransom payments when below $300K, and 84% when over $300K. The group demands a ransom payment in amounts of a few hundred thousand bucks to millions.

The group has performed attacks on a number of healthcare institutions, such as the Champaign-Urbana Public Health District in Illinois, the Australian shipping company Toll Group, and the Australian customer experience company Stellar.

The group is utilizing fileless ransomware as per Trend Micro. Fileless ransomware does not need a disk, just the memory, so that security solutions are unable to identify attacks. Microsoft has cautioned healthcare organizations that attackers employed misconfigured IIS-based apps to utilize the Mimikatz credential-stealing application, and PsExec to install NetWalker.

The modification in strategies, techniques and processes favoring extremely targeted attacks, the present affiliate recruitment strategy, and the high percentage given to affiliates will possibly see NetWalker ransomware turn into an even greater risk in the next months as the group takes other manual ransomware threat groups like Maze and REvil.

Considering the growing manual ransomware attacks on healthcare corporations, network defenders must take preemptive steps to minimize risks like:

  • dealing with known vulnerabilities,
  • protecting vulnerable internet-facing systems
  • examining servers and apps for misconfigurations
  • keeping track of the use of penetration testing apps, security log tampering, and credential theft activities that could show a prior system breach