The FBI issued a flash alert warning of a significant increase in targeted NetWalker ransomware attacks on U.S. and foreign health agencies, governments, private companies, and education institutions. The courts have already been the target of several significant attacks.
What is NetWalker Ransomware?
NetWalker ransomware uses advanced encryption techniques to target Windows-based systems. Attackers are leveraging interest in the COVID-19 pandemic to spread the virus through email communications.
The attackers are broadening their approach through Ransomware as a Service (RaaS) to partner with other cybercriminals. The VBS (visual basic scripting) executes when an email is opened by the user. Hackers are also exploiting Virtual Private Networks (VPNs), web application interface components, and weak credentials for Remote Desktop Protocol (RDP) connections.
What can you do to prevent and/or prepare for an attack?
- Be sure to back up your most important data regularly. Backups should be stored in places not accessible via your network connection or should use network segmentation to limit access. Investigate cloud or off-site tape options. In addition, backups should be periodically tested to make sure they are complete and the data is accessible. Ensure there is a complete inventory of assets and their backup locations.
- Ensure your business continuity and disaster recovery plans include strategies for ransomware attacks and that these are tested regularly.
- Be sure your operating systems, browsers, and all other software are up to-date. Otherwise, they may not have the latest security patches.
- Update patches on hardware devices, especially those that are part of critical infrastructure.
- Make sure your antivirus software and malware definitions are updated daily and as indicated by your software provider.
- Update spam settings to block attachments with an .exe, vbs, or scr extension. Also beware of Microsoft attachments that may contain macros.
- Educate users on the dangers of opening emails from unknown senders, as well as emails with suspicious subjects that may seem like they are from within the organization or from acquaintances.
- Educate users not to click on links that seem suspicious. Increasingly, these may be provided through social networks or mobile device messengers.
- Inform users how to report suspicious emails, activities, or other security concerns so they can be investigated promptly.
- Keep the Windows firewalls turned on and properly configured at all times. Disable unnecessary features such as Windows Script Host, Windows PowerShell, Windows Volume Shadow Copy, etc., as these can be exploited by a virus. Consider disabling AutoPlay and File Sharing unless they are needed. Set group policies to prevent users from altering system settings.
- Viruses are most often dropped in ProgramData, AppData, Temp, and Windows\SysWow. Consider policies that prevent executables from running when in these directories.
- Disable remote desktop protocol (RDP) on desktops unless it is necessary for business operations. This may be exploited to infect systems. Explore other methods of accessing needed resources remotely.
- Consider additional firewall protection. Keep aware of and block known malicious IP addresses and utilize services that update blacklists. You can find options for providers of these lists at https://zeltser.com/malicious-ip-blocklists/.
- Implement security-based network segmentation and consider a network-based intrusion detection system (IDS).
- Carefully monitor Bluetooth and wireless connections for suspicious activity. Bluetooth may be exploited through a Bluetooth Impersonation AttackS(BIAS) and wireless may provide opportunities through a Rogue Access Point.
- Have a communication strategy prepared in advance. Have cybersecurity legal expertise identified to help guide communications and address legal and ethical context for addressing the public, stakeholders, and internal staff
|Comprehensive Emergency Management Program||Continuity of Court Operations|
What to do if you are attacked
- If suspicious activity happens on a workstation or a user notifies you that they opened a suspicious email or attachment, turn off the Internet connection and unplug the workstation from the network. If there is no Internet connection, the virus cannot normally connect to the source to be fully activated. Perform forensics on the workstation and consider wiping and rebuilding it before putting it back in service. Make sure it is thoroughly scanned for viruses or malware before reconnecting it to your network.
- Immediately notify other users and management about the suspicious email and/or attachment so that they can avoid it.
- If an attack has progressed, disconnect the uninfected network segments from the infected devices. Disconnect all access to the Internet and other external networks.
- Engage security experts to assist in forensics and system restoration as needed or if internal capabilities are not available.
- Activate your business continuity and disaster recovery plan. Ensure that all assets, such as hard drives, are physically secure, labeled, and tracked. Dealing with physical security is often an afterthought and can result in the loss of valuable files.
- The FBI cautions agencies not to pay the ransomware. Paying ransom simply encourages more malfeasance.
- Implement communication outreach in accordance with the communication plan.