Data Center Doldrums
Equinix is the latest data center provider to fall victim to ransomware, with the Redwood City, Calif.-based company disclosing Thursday that a security incident resulted in ransomware getting into some of its internal systems. The company said its data centers and service offerings remain fully operational, adding that customer operations, data and equipment haven’t been impacted.
BleepingComputer reported Thursday that Netwalker carried out the ransomware attack against Equinix and demanded a $4.5 million ransom to prevent the release of stolen data. Equinix declined to comment on the BleepingComputer report. The company’s stock is down $8.31 (1.11 percent) to $745.11 per share since the ransomware attack was disclosed before the market opened Thursday.
Despite only being active for six months, Netwalker has crippled schools, hospitals and governments throughout the world and has already reaped more than $25 million in ransom payments.
From bypassing phishing and spam-based attacks to refusing English-speaking affiliates to doubling the ransom demands on victims that don’t immediately pay, here are seven things solution providers need to know about the Netwalker ransomware attacks following the Equinix breach.
Netwalker Emerged In Mid-2019 Following Toll Group Attack
Netwalker burst onto the scene in August 2019 following the high-profile ransomware attack against Australian transportation and logistics company Toll Group. Data gathered so far indicates that Netwalker ransomware was created by a Russian-speaking group of hackers operating under the Circus Spider moniker, according to Hemidal Security.
The ransomware initially was named Mailto based on the extension that was appended to the encrypted files, but analysis of one of its decryptors indicated that its name was Netwalker, according to Cynet. Mailto was first discovered by independent cybersecurity researcher and Twitter user GrujaRS, Hemidal Security reported.
Netwalker compromises the network and encrypts all Windows devices connected to it, Cynet found. When executed, Cynet said Netwalker uses an embedded configuration that includes a ransom note, ransom note file names and various configuration options.
Netwalker Affiliates Must Be Skilled, Avoid Russian Targets
Netwalker revolutionized the way it conducted business in March 2020 with the shift to a network intrusion-focused, Ransomware-as-a-Service (RaaS) model. The new business model has allowed Netwalker to collaborate with other seasoned cybercriminals who already have access to large networks and have the ability to disseminate ransomware, according to Advanced Intelligence.
Netwalker expressed a preference for affiliates “who prioritize quality, not quantity,” which Advanced Intelligence said stands in stark contrast to other Russian-speaking ransomware actors, which often focus instead on mass production and brute force attacks. A month later, Netwalker clarified that its interest was only in experienced, Russian-speaking network intruders (English speakers not allowed).
Netwalker affiliates are prohibited from going after organizations located in Russia or other post-Soviet republics that are part of the Commonwealth of Independent States (CIS), Advanced Intelligence said. Affiliates must also guarantee that they will provide decryption to the victims upon receipt of a ransom payment, according to Advanced Intelligence.
Netwalker Has Generated US$25 Million In Ransom Payments
Netwalker affiliates are compensated very generously and are offered a cut of up to 84 percent of the payout if the previous week’s earnings exceeded US$300,000, according to Hemidal Security. If the earnings are below that sum, Hemidal Security said the affiliates receive 80 percent of the total payout.
The remaining 16 percent to 20 percent of the proceeds go to the group behind Netwalker, Hemidal Security said. This is significantly larger than the payouts offered by Ransomware-as-a-Service pioneer GandCrab (which later returned as Sodinokibi, or REvil), which Advanced Intelligence said offers affiliates a 60 percent or 70 percent cut.
The Netwalker ransomware actors generated a total of US$25 million in ransom payments between the start of March and the end of July, according to McAfee. At a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt, McAfee said Netwalker is making millions off the backs of legitimate companies.
Netwalker Dumps Data Of Noncompliant Victims On Leak Site
Netwalker earlier this year began publishing victim data to a public blog accessible via TOR that lists noncompliant victims along with links allowing visitors to download the leaked data, according to SentinelOne. The public leak site naming and sharing ransomware victims was pioneered by Maze and subsequently copied by other ransomware actors including DoppelPaymer, REvil, Ragnar and Netwalker.
For victims that still have time, a countdown clock indicates how much time is left before Netwalker starts leaking their files, according to SentinelOne. Advertisements for Netwalker’s Ransomware-as-a-Service indicate this feature is fully automated for affiliates, SentinelOne said.
Netwalker has also sought to bolster its credibility with screenshots of payouts it has received from its extortion efforts, according to Advanced Intelligence. The Netwalker blog hosted just under 11 GB of stolen company data as of early June, though not all the links to dumped data are functional since providers like Mega and DropMeFiles appear to have taken action on some of them, SentinelOne said.
Netwalker Often Targets Health-Care, Education, Government Entities
Over the past six months, Netwalker has established a track record of going after health-care providers, educational facilities, local governments or private businesses. In the health-care sphere, Netwalker took down the systems of the Champaign-Urbana Public Health District on March 10 and infiltrated the systems of Pennsylvania’s Crozer-Keystone Health System in mid-June, according to Hemidal Security.
Netwalker struck Michigan State University, Columbia College of Chicago and the University of California San Francisco (UCSF) at the start of June and obtained sensitive data such as student names, Social Security numbers and financial information. UCS—which had been conducting coronavirus treatment research through clinical trials and antibody testing—ended up agreeing to pay a US$1.14 million ransom.
From a local government perspective, Netwalker was able to enter the Austrian city of Weiz’s public network in May 2020 by using coronavirus-centric phishing emails. And right before news of the Equinix breach went public, Netwalker took down the online billing services for K-Electric, Pakistan’s largest private power supplier, and demanded a US$3.8 million ransom, which rises to US$7.7 million after a week.
Netwalker Bypasses Phishing For Network Infiltration
Netwalker in March 2020 was focused on having affiliates distribute the ransomware through spam emails that lured victims into clicking on phishing links and infecting the computers in their network, Hemidal Security said. The focus on mass volume meant that anyone was at risk of becoming a target, according to Hemidal Security.
But in April 2020, Hemidal Security said Netwalker started recruiting experienced network intruders to single out big targets such as private businesses, hospitals or government agencies rather than individual home users. Attackers gain access to the networks of larger organizations by manipulating unpatched VPN applications, weak Remote Desktop Protocol passwords or exposed spots in web applications.
Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN and Telerik UI, according to an FBI Flash Alert issued in late July. After entering the network, Hemidal Security said Netwalker ransomware terminates all processes and services running with Windows, encrypts the files on the disk and deletes the backups that are stored in the same network.
Netwalker Leverages Tools To Boost Its Stealthiness And Persistence
The actors behind Netwalker have embraced sophisticated techniques to increase stealth and complicate causal analysis such as process hollowing, in which the malware injects itself into a legitimate process such as explorer.exe and removes the original executable, according to SentinelOne. At this point, SentinelOne said the infection is effectively hiding in the space of a legitimate process.
To maintain the persistency of the malicious file on the user’s host, Cynet said the payload deletes the original executable from its location and creates a registry key that will execute the file every time the host starts up. A dive into the payload memory strings to locate any signs related to the ransomware note indicates that strings are obfuscated and encoded with -BASE64, according to Cynet.
To erase all the backup copies in the host, Cynet said an instance of “vssadmin.exe” is running silently in order to erase the volume shadow copies and prevent backup copies from recovering. Each Netwalker configuration file contains a list of processes to discover and file to not interfere with data collection or file encryption, listing both services and processes to kill prior to the malware’s main tasks.