On June 1, the University of California, San Francisco (UCSF) began to panic, as it realized that many of its network files were being encrypted. What had happened? Someone had received a phishing email with embedded malware that activated and spread across the internal network.
The IT security team at the university quickly began to disconnect computers to prevent the propagation of the infection, but it was too late: they had fallen victim to NetWalker, a malware distributed by the cybercriminal group of the same name which had encrypted a number of their internal documents. This led to ransom negotiations, to which the BBC had access, through a live chat on the dark web.
The criminals’ opening demand was for three million US dollar ransom though, after several negotiations, the University managed to bring the figure down to US$1.14 million. Once the ransom sum was agreed, UCSF sent 116.4 bitcoins to NetWalker’s electronic wallet and received the software required to decrypt the hijacked information. Despite these events, the University has assured that this attack has not affected clients’ databases nor its recent research into COVID-19.
However, UCSF has not been the only target of NetWalker’s actions. An Illinois public health agency, covering nearly 210,000 people, acknowledged that in March this year, it too had been the victim of the same cybercriminals, in what was clearly a targeted attack. And, in the education sector, the University of Michigan and Columbia College, Chicago have also witnessed attacks in which a large part of their internal data was encrypted by NetWalker.
The target: hospitals and universities_
Is there any relation between the various victims of this ransomware? In fact, there is. All of them have direct or indirect links to the healthcare sector. The connection of the health authority in Illinois is obvious, while USCF, for example, was involved in intensive research into coronavirus. They keyword in the end is: coronavirus.
Although at some point several cybercriminal groups such as DoppelPaymer, Maze, or even NetWalker Ransomware had promised a truce and agreed not to attack any health care institutions, the latter would appear to have broken the pact. The reasons for this are clear, these types of institutions have not only seen their workloads increase during the present health crisis, therefore leaving fewer resources to dedicate to IT security, but they may also have research data and other information relating to the fight against the COVID-19 pandemic. This is a particularly delicate issue, which is why organizations such as the US Cybersecurity and Infrastructure Security Agency (CISA) are warning all types of health centers of an increase in COVID-related phishing attacks.
The cases speak for themselves. The Birmingham Nightingale temporary hospital, specifically dedicated to the pandemic, was attacked by a group of cybercriminals in May which, according to The Telegraph, gained access to the personal details of up to 100,000 people, including names, payroll details, and banking and pension information. Although the COVID-19 pandemic has seen an increase in incidents, attacks on hospitals are nothing new. The delicate nature of the information they handle has always made them especially vulnerable, with cases that have even seen them having to cancel all operations.
How does NetWalker operate and how can the threat be countered?_
NetWalker’s actions are not entirely new, as in effect it represents an evolution of the MailTo malware. Its activity was first detected towards the end of 2019, and it works in a similar way to its predecessors, i.e. through a targeted attack. Its initial point of entry is usually email, with the attachment ‘Coronavirus_Covid-19.vbs’ or sometimes a link to the file.
Once the file is downloaded and run, it uses PowerShell scripts to load the malware via DLL injection. In this way, it progressively reaches all the documents on a system and encrypts all the information, making it inaccessible to the user. Finally, according to reports from several cyberattacks, the victim receives a ‘Readme.txt’ file with information about the attack and instructions for contacting the criminals in order to negotiate the ransom. On some occasions, this note is in a JSON file.
There are several ways of preventing these types of attacks which any organization should take to ensure its cybersecurity:
1.- Emails and trust. Employees are always the weakest link in the cybersecurity chain, and this is yet another example. Organizations must make staff aware of the importance of not opening suspicious emails or clicking links or downloading files that haven’t been verified as legitimate.
2.- Authentication. Malware can sometimes gain access to an employee’s credentials in order to run a specific application, so multi-factor authentication will help prevent cybercriminals from getting through security barriers, especially if, in addition to a password, they have to enter a specific token or PIN sent via SMS to employees’ phones.
3.- Backup copies. Should it be impossible to prevent, avoid, or mitigate an attack, it is highly beneficial to an organization to have backup copies of files. In the worst-case scenario, it means you won’t have to pay a ransom to recover your data.
4- Endpoint vigilance. The most important measure of all. Given that many malware attacks exploit operating system vulnerabilities and attempt to pass themselves off as trusted files, organizations must have complete vigilance over all internal processes running on their networks to detect any type of behavior which, although it may seem safe, could really be anomalous or dangerous.
Because of this, solutions such as Cytomic Orion are essential. This cloud-based data analytics platform analyzes the behavior of applications, users, and endpoints to detect and rapidly investigate anomalous behavior. The architecture collects data about the activity on endpoints in real time and processes it with artificial intelligence algorithms to prevent, detect, hunt, and respond to all types of threats, whether known or not.
So, if an organization were to suffer a cyberattack, it would always be able to implement actions to mitigate the damage. However, cybersecurity must aim to go further and be proactive, focusing on locating possible threats before they materialize and thereby nullifying their potential effects.