Over the past few weeks, there have been attacks carried out against universities in the united states where the attackers have been successful in stealing unencrypted data and then encrypting the university computers for ransom. The data taken from these universities has consisted of student applications with social security numbers, a spreadsheet, a folder listing that had employee information, medical studies from a university, and financials. The hackers are promising that if the ransomware isn't paid for, then they would leak this information. While the list of affected universities is short, this group has successfully launched attacks against Columbia College of Chicago, Michigan State University, and recently the University of California San Francisco. At the same time, it seems these Universities have taken the stance that they won't be paying the ransomware and have notified those affected depending on the level of infection.
Who is Netwalker
Netwalker is a relatively new player in the world of ransomware. Known initially as mailto, Netwalker has been successfully going after large targets since their coming out in 2019, where the group carried out a massive attack against the Australian toll group that compromised around 1,000 systems, forcing the toll company to shut down and fix those devices while they had to revert to manual processes for clearing the backlog of undelivered local and international Australia parcels. While there was no indication of personal information or data stolen, it seems the group has now found a way to level up their attacks and get sensitive data that carries a price to keep secret.
How does this group carry out their attack?
It's believed that the group is taking advantage of Remote desktop services in these systems and uses spam to try and access enterprise level-networks where they are taking the information listed above.
What can you do to prevent an attack like this?
For starters, you can look at your Remote Desktop services and make sure these things are done.
- Use Strong passwords
- Use two-factor authentication
- Update your software
- Restrict access using your firewall
- Enable Network-level authentication (Windows 10, windows server 2012 R2/2016/2019 do this by default)
Other steps you can take to help reduce your risk to a Ransomware attack:
- Don't download suspicious files from outside or usual senders unless your IT group has cleared it.
- Make sure you have periodic system backups for your data. That way your data could be brought back online quickly in the event of an attack where data can't be recovered
- Always try to improve your network segmentation where you can.
Written by Adam Voss
Adam Voss graduated from Maryville University with an emphasis on pen-testing. Currently, he works at TechGuard as a cybersecurity analyst. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.