Netwalker Ransomware: What You Need to Know

Continuous improvements to existing ransomware have made the need for visibility into your organization’s external attack surface more critical than ever. According to the FBI and IC3, “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly.”

On September 10, a Fortune 1,000 enterprise organization confirmed news reports of a Netwalker ransomware attack against its internal systems. Although specific details regarding that attack have not yet been released, the ransomware has generated at least $25 million for hackers using Netwalker since March and has downed local government agencies, private companies, and education entities’ systems, among others.

Attackers leveraging Netwalker commonly target RDP servers, web applications, and VPN servers to gain unauthorized access to a network and deploy the ransomware. Once they’ve gained access, they can use Netwalker to encrypt Windows-based devices and data so that users cannot access until they pay up. Netwalker was previously used for email phishing as a means to inject VBS scripts that are executed when the emails are opened, but this attack method is no longer as common. 

Netwalker is believed to have been developed and operated by a threat group dubbed Circus Spider. Netwalker was first detected in August 2019 and known as Mailto. Additional variations of Netwalker were seen in the wild throughout 2019 and early 2020. According to a report by McAfee, Netwalker has gradually evolved into a ransomware-as-a-service model. Netwalker attack volumes are surging as Circus Spider is using the ransomware-as-a-service model to recruit and compensate sophisticated cyber criminals. Under this model, Circus Spider provides the needed resources (infrastructure and tools) to enable bad actors to take enterprise data hostage, and then pays an affiliate “commission” payment once the affiliate receives ransom from the victim. 

According to a Federal Bureau of Investigation (FBI) Flash Alert, Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935) are the two most common vulnerabilities exploited by actors leveraging Netwalker, but other systems have also been frequently targeted. 

In order to get a better idea of how vulnerable Fortune 500 enterprise organizations are to Netwalker, Expanse studied 35 of them over a 12 day period. Sixty percent of these Fortune 500 organizations have at least one exposed RDP server, and one organization had 945 exposed RDP servers. These types of exposures place these leading organizations at increased risk for a Netwalker ransomware attack.

Because you can only protect and monitor the Internet assets and services you know about, your organization may unknowingly be exposing systems to possible Netwalker attacks. Fortunately, Expanse is here to help. With a complete, continuous and accurate visibility into the entirety of your external attack surface, your organization can be confident these critical services are locked down and never accessible via the public Internet. 

In addition to an Internet asset inventory, your organization should ensure cyber hygiene basics are nailed down to decrease the probability of Netwalker ransomware attack. These include data encryption and backup, complex password requirements, robust email filtering, and enterprise-wide antivirus deployment.

If you are a current customer, please reach out to your Engagement Manager to see how we can help you identify and secure any vulnerable systems and servers. And if you’re not a customer, we’re still here to help. Reach out to set up a demo today.