Netwalker Ransomware Site, Emotet Botnet Taken Down in Global Effort

January 28, 2021 - Two of the most prolific cyber threats have been disrupted by global Federal efforts this week. The notorious Emotet botnet was taken down through a global collaboration, while the FBI and the Department of Justice seized the Netwalker ransomware hackers' dark web site used for communicating with victims.

Both of the actions occurred on Wednesday, January 27 and mark a significant hit to two massive threats that pummeled a range of sectors. Netwalker has been a particular bane to the healthcare industry.

It’s healthcare victims include the University of California San Francisco, which paid $1.14 million to the attackers for the return of data stolen from its School of Medicine in June 2020.

“Ransomware groups and other cybercriminals have been operating with almost complete impunity for a very long time, so it's fantastic to see successful action being taken against them,” Emsisoft Threat Analyst Brett Callow told HealthITSecurity.com.

“In addition to possibly disrupting the groups’ operations and revenue stream, it only sends a clear message to cybercriminals that they may no longer be able to get away with it,” he added.

READ MORE: UCSF Pays $1.14M to NetWalker Hackers After Ransomware Attack

The takedown of Emotet was led by Europol and Eurojust and supported by a global effort of federal security leaders from the US, Germany, UK, and a host of other countries. The operation was carried out through the European Multidisciplinary Platform Against Criminal Threats (EMPACT) framework.

Emotet first emerged as a banking trojan in 2014 and is one of the longest lasting cybercrime services. Its hackers continuously evolved the variant, becoming one a “go-to solution” for cybercriminals. The variant is also one of the largest senders of malicious emails, when it’s active.

Its infrastructure acted like a primary gateway into computer systems on a mass global scale. Once Emotet had gained access to victims’ networks, the entryways were sold on the dark web to other cybercriminal groups and used for other criminal activities, including data theft and ransomware.

Emotet was primarily spread through infected, emailed Word documents using a fully automated process. The hackers would modify campaigns to mimic common news trends. In 2020, the campaigns would surge for short periods of time and reemerge, with new trends.

The last campaign was spotted in December 2020 sending more than 100,000 emails a day and using new evasion tactics.

READ MORE: NetWalker Ransomware Expands Operations, Targeting Healthcare

But Europol stressed that what made Emotet so dangerous was that its malware was offered for hire to other cybercriminals to install other malware, with Ryuk and Trickbot operators reaping the most benefit.

To take down Emotet, law enforcement teamed together to gain control of its infrastructure, which included several hundreds of servers around the world. All the servers had different functionalities to manage the vast amount of computers from infected victims.

One the law enforcement team gained control, they were able to take it down from the inside. The victims’ infected devices have now been redirected to the law-enforcement-controlled infrastructure.

Notably, during the takedown, the team found a database containing the email addresses and credentials stolen by Emotet. Europol created a site that allows potential victims to see if their credentials were compromised.

“Whether the Emotet takedown has a long-term impact remains to be seen, but it’s a win for the good guys even if the botnet does bounce back,” Callow added.

READ MORE: Emotet Reemerges with Massive Campaign Targeting Pharma Industry

“Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet,” said Jerome Segura, Director of Threat Intelligence at Malwarebytes, in a statement. “This is a very impactful action that likely will result in the prolonged success of Emotet’s global takedown.”

Netwalker Site Seizure

For Netwalker, DOJ announced an international law enforcement team disrupted the sophisticated ransomware hacking effort, including charging one of its alleged members for their role in the attacks.

“We’re striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division, in a statement.

“Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation,” he added.

Netwalker was part of the shift into extortion schemes, which were designed to ensure victims paid their demands. The group heavily preyed on the healthcare sector, with the first targeted attacks on the industry observed in May 2020.

At that time, the group transitioned to a Ransomware-as-a-Service (RaaS) model, partnering with other seasoned hackers in their attacks. Its healthcare victims included an attack on the website of Champaign-Urbana Public Health District in Illinois, the College of Nurses of Ontario, and others.

The challenge, and success, of Netwalker was that “once they infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files,” the FBI previously warned.

“In order to encrypt the user files on the victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable,” they added. “Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ, by uploading data through the MEGA website or by installing the MEGA client application directly on a victim’s computer.”

The group also preyed on law enforcement, emergency services, school districts, colleges, municipalities, and other companies. DOJ explained the group heavily shifted its attacks to target healthcare in light of the response to COVID-19.

DOJ seized about $454,000 in cryptocurrency from the alleged Netwalker member charged in ties to the ransomware attacks where “tens of millions of dollars were obtained.” The member has also been charged with illegally obtaining more than $27.6 million as a result of his alleged role in the Netwalker attacks.

The effort also resulted in the disablement of the hidden dark web resource used to communicate with victims. The investigation was led by the Tampa FBI field office.

Notably, the DOJ announcement shed further light on Netwalker’s schemes. The affiliates and developers of the RaaS model used in some Netwalker attacks would split the ransom as payment for their services.

Further, Netwalker actors would commonly gain access to victims’ networks days or weeks prior to deploying the ransomware note. During that time, they’d elevate their privileges within the network and spread ransomware from workstation to workstation.

The ransom note would not be deployed until the hacking group was satisfied that they’d sufficiently infiltrated enough of the system to illicit an extortion payment.

“The seizing of NetWalker’s site and the arrest of an alleged member of the group is significant,” Callow said. “While it’s impossible to say what, if any, impact it will have on the group’s day to day operations, this is one of only a handful of occasions in which such actions have been successfully taken.”