International. The ransomware attack targeting the National Directorate of Migration (DNM) in Argentina, which occurred on August 27, is back in the news, since it could be confirmed that it was NetWalker.
Cybercriminals demand the payment of a millionaire ransom before the threat of publishing the information of the dependency of the Ministry of the Interior.
Operation
Ransomware is a form of cybercrime, considered an increasingly common attack method among hackers, used to extort money from individuals, businesses, and governments alike.
While the first ransomware incidents were discovered in 2005, the past three years have seen this type of threat compromise millions of computers and mobile devices around the world.
According to industry reports, the number of companies targeting cyberattacks multiplied in the last period, which is reflected in economic and commercial losses.
In the face of changes in the world scenario, cybercriminals have lately refined their criminal actions, exploiting one of the biggest concerns of our era: the pandemic produced by Covid-19.
This is where all the questions arise: Who is he?, what does he do?, who is behind this risky operation?, how can we protect ourselves so as not to be a victim of it?
The code used by cybercriminals in the DNM attack was netwalker, the name of malicious software (malware) that encrypts files, taking control of stored information and data from the user, blocking the operating system. The attacker will then make himself known with an "official" ransom demand, via a pop-up window, demanding payment to regain access to the device or receive the decryption key of the captive files. Usually, the payment is made through a virtual currency (bitcoins and cryptocurrencies), since these are difficult to track.
While Netwalker is going around since September 2019, only as of March 2020 is it considered as a real threat. It is estimated that, through the users affected by NetWalker, hackers managed to introduce it into the networks before the month of April.
In June of this year, cybercriminals asked the University of California for a ransom of $3 million, eventually negotiating $1.14 million.
Meanwhile, on July 28, the FBI issued an alert in Cybersecurity (Alert no. MI-000130-MW), detailing the operation of Netwalker. Its main targets were health, education, government and private organizations.
NetWalker is a variant of a previously detected code, called Mailto, and according to reliable sources, it would have changed its name late last year.
The information gathered by cybersecurity specialists so far indicates that the creators of this variant belong to a group of Russian hackers called Circus Spider.
The technical concept used to describe this Ransomware is that of closed access RaaS (Ransomware as a Service), and means that this group provides the attacker(s) with the tools and infrastructure necessary to carry out the cybercrime.
The group publishes on the DarkWeb those interested in using this service, partnering to distribute the code.
However, hackers who want to join them must comply with all the guidelines and rules of the group. Affiliates are prohibited from carrying out attacks against Russian organizations or member countries of the Commonwealth of Independent States. In addition, it is stipulated the obligation to return the information once the payment is received, although it does not offer any guarantee that this will happen.
How it works
In the beginning, associates distributed emails containing a link to the Ransomware. In this way, they infected not only the computer used to read that mail, but it spread throughout the Windows network to which it was connected, turning any user into a possible victim.
However, starting in March of this year, Netwalker shifted its focus by recruiting attackers with greater knowledge and experience in networks, selecting victims such as healthcare organizations, hospitals, government agencies, and large private organizations.
In this way, cybercriminals have access to all the important and sensitive information of the victims, which is used to blackmail by demanding payment for not disseminating it on the Internet, as well as the return of it, since, being encrypted, there is no possibility of having access to said information.
To know the starting point of the hack, it should be borne in mind that the most used vulnerabilities to carry out the intrusion to the networks are several, but the main ones are:
-The use of weak passwords in users who work with remote desktops and
-The use of outdated VPN accesses.
With regard to the attack on government entities we can talk about two recorded incidents:
May 2020, city of Weiz (Austria). The attackers entered the city's data network by using emails referencing relevant information about Covid-19.
September 2020, in Argentina. The attack targeting the database of the National Directorate of Migration was detected around 7 a.m. on August 27, according to the Cybercrime Prosecutor's Unit. The networks were then disconnected and left offline, to prevent the spread of the virus. The fall of different services at the border posts, the Ezeiza International Airport and the Buquebus Terminal caused an interruption of the system, which prevented the entry and exit of people to the country for four hours. Specialists agree that this action prevented a massive expansion of Ransomware.
Keys to prevent this type of attack
-Implement as standard procedure the routine change of passwords for access to networks. This action nullifies the accesses that could have been used at the time by cybercriminals.
-Incorporate MFA (multi-factor authentication) services that allow to secure access to the network even if the username and password have been compromised. This action is highly recommended, since the routine change of password leads to a simplification of it by the user, since 65% use the same key with a different character or number, and in some cases they are even correlative, being easily detectable by hackers.
-Establish an update application strategy.
-Establish an efficient backup strategy.
-Implement a state-of-the-art edge firewall with content analysis capability, which allows to execute, at the same time, antivirus services, antimalware, intrusion detection, application control and detection, network analysis, geolocation, prevention through reputation, remote access control and control of services such as DNS.
-Implement as standard procedure the antivirus and antimalware services that apply Artificial Intelligence for the detection of new or unknown threats, as well as the possibility of synchronizing the security services to analyze said threats.
-Having great visibility of what happens in the firewall and the network, given the number of services and possible threats that are being detected today, it would be impossible to verify their status without a tool of easy use and operation, as well as having the possibility of generating easy-to-read reports for all managers.
-To minimize possible intrusions it is very important to keep the operating systems and installed software updated, as well as the control of the software installed on the computers connected to the network, to prevent attacks that enter through a software installed by the user.
-Finally, when all the above is not really enough, have the possibility of being able to return to a secure and reliable backup point almost immediately, to be able to continue operating as an organization.
Regarding the use of e-commerce platforms, the FBI issued a warning in June about an increase in malicious banking applications. In addition to launching this specific alert, it also provided tips on how to avoid these vulnerabilities, such as just downloading an app from the phone's official app store or banking website. And never download a banking app from a third party.
With regard to payments through electronic platforms, the organization recommends doing so directly on the merchant's website or contacting the financial institution directly from a phone number published on its official website to verify its authenticity.
In this way, attackers are discouraged from continuing with this criminal modality.
Other industries are under attack, such as Entertainment and Entertainment, which in June saw an attack on the law firm representing music personalities and Hollywood stars, including the President of the United States.
In conclusion, as with any big-money industry, ransomware will continue to evolve to maximize profits, while hackers take advantage of any opportunity to invade privacy, as in the aforementioned case, leaving thousands of sensitive data exposed.
Item supplied by WatchGuard.
