The operators of NetWalker ransomware have been aggressively targeting healthcare organizations and more recently attacks have increased on universities conducting research into COVID-19.
NetWalker ransomware first appeared in the middle of 2019 and has been primarily been used in targeted attacks on enterprises, with the operators deploying their ransomware manually after first gaining access to a victim’s network.
As is the case with several other manual ransomware operators, prior to the encryption of data reconnaissance is performed, the attackers move laterally to compromise as many networked devices as possible, and sensitive data is exfiltrated. After the ransomware is deployed, the attackers threaten to publish the stolen data in an attempt to spur victims into paying the ransom rather than attempting to recover files from backups.
The business model of the NetWalker ransomware gang has recently changed and their ransomware is now being offered under the ransomware-as-a-service model, although the gang is only partnering with hackers that are experienced at attacking enterprises. This selective partnering is vastly different to many RaaS operations, which prioritize quantity over quality. The attack methods used to gain access to networks also differs from the typical brute force tactics typically used by Russian ransomware operators.
The operators of NetWalker ransomware have been extremely active during the COVID-19 pandemic. In addition to attacks on hospitals, medical billing companies have been attacked, COVID-19 research organizations, educational software providers and, in the past few weeks, there has been a spate of attacks on universities. Michigan State University, Columbia College of Chicago and, most recently, University of California San Francisco have all been attacked. All three universities are involved in COVID-19 research. It is currently unclear whether an affiliate specializing in attacks on universities has been signed up or if universities involved in COVID-19 research have been specifically targeted.
Healthcare organizations are an attractive target as they are heavily reliant on data to operate. If patient data is encrypted and rendered inaccessible, the ability to provide medical services is significantly hampered, which makes payment of a ransom more likely. Current indications suggest the group is only interested in profiting from ransoms, but COVID-19 research data is in high demand and is certainly valuable. That could account for the number of recent attacks on universities, which have also been targeted by other ransomware gangs. Data from Emsisoft indicates at least 30 universities have suffered ransomware attacks so far in 2020.
NetWalker ransomware is evolving and poses a significant threat to organizations in all industry sectors, but especially healthcare and education. The ransom demands issued by the gang range from hundreds of thousands of dollars to millions, and data theft makes the cost of remediating an attack even higher.
It is unlikely that attacks will slow down in the weeks and months to come, and with a range of attack methods used to gain access to networks, it is important to ensure that all vulnerabilities are addressed and measures are implemented to protect against all possible attack vectors.