Emerging threat explained: What is Ransomware-as-a-Service? The history of NetWalker

If it is possible to determine today’s cybercrime by one characteristic, it will be the ability to develop and adapt to new conditions. Also, one may define it as the potential to find ways to evade information security. 

Ransomware software is no exception. This type of malware has evolved a lot since its inception, and today there are many ransomware families spawning new, increasingly complex species. We recently witnessed recent high-impact ransomware attacks in 2020. For instance, new NetWalker ransomware operators have recently compromised various hospitals in Spain, stealing data and paralyzing their infrastructure.

What is Ransomware?

Is ransomware a virus.

The ransomware definition means that this is a type of malicious software. It keeps the victim’s information encrypted until the attacker receives a certain ransom. Ransomware continues to pose one of the major threats on the Internet. A rash following a link from the email or running suspicious files can lead to a sequence of events. 

In particular, it threatens the encryption of all sensitive data within the device by the malicious operator. In this case, the user will be presented with two choices. The first is to pay a lot of money for the decryption key, as attackers usually require bitcoins or other cryptocurrencies to hide the transactions. Notably, the second is to lose all the data.

Is ransomware a virus?

However, many people ask the question, is ransomware a virus? No, ransomware is not a virus as this software does not perform any action indicating its malicious activity. Unlike classic viruses, the ransomware does not modify files, infiltrate active processes, or copy itself. It simply creates copies of documents and databases, encrypts them, and permanently deletes the user’s original files and encryption key, leaving the ransom text.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service.

Ransomware is constantly evolving and becoming more sophisticated since its first recorded manifestation in 1989.The Raas model means that attackers use specialized portals to create and test their malware versions.

While simple varieties generally do not encrypt information, the newly created and modern ones use cryptographic techniques to encipher files, making them unavailable. Ransomware encryption can also be used on hard discs to absolutely lock down the device’s operational system, not allowing the affected users to get full access. 

The end objective is to persuade the victim to pay to receive the decryption key, which is usually requested in e-currencies that are hard to track down (for example, Bitcoin or any other digital currency). 

Unfortunately, there is no assurance that after the payment, the attackers will fulfill their conditions. The prominence of ransomware has grown substantially in the past ten years as a financially motivated cyber threat. Today, it is the most well-known malware threat globally, as evidenced by Europol under Internet Organized Crime Threat Assessment.

How Does RaaS Work?

Ransomware Software.

Nowadays, most users have some popular antivirus installed or use the built-in Windows malware removal tool. Having such a defense, they consider themselves in complete security and safety. However, the ransomware quietly starts up, encrypts files, documents, and leaves a ransom message. 

Typically, the operators spread a statement that they will give a decryption key upon receiving payment in cryptocurrency. Usually, the user downloads and runs the ransomware consciously. The ransomware infects your computer by:

  • Phishing messages. Phishing emails are one of the most popular ways of malware spreading. Victims are commonly infected through compromised attachments or links that are disguised as real ones.
  • Fake updates or cracked games and programs. Malware has a goal to exploit problems and weak spots in software and operating systems to distribute ransomware.
  • Malware advertising. The malware agents use ad networks for distribution.

Encrypting malware poses a lot of problems requiring spending lots of effort and time decrypting the files. A simple antivirus is not enough for reliable ransomware protection. Sooner or later, it will miss a new malware, which signature is not yet in the databases. Therefore, additional protection measures, like regular backups with restricted access, decryption utilities, and proactive protection system, are worth considering.

The history of NetWalker ransomware attacks

The NetWalker was first identified in August 2019. Mailto was the original name of this ransomware variety, but later, after the research, it got the name “NetWalker.” The malware operates based on the Ransomware-as-a-Service (RaaS) scheme. The US Police and data security experts state that the group of Russia-originated hackers created the Mailto family has recently increased. Among the victims of NetWalker are:

  • private business;
  • educational institutions;
  • government structures;
  • medical facilities.

According to Malwarebytes threat statistics, their power and danger have intensified despite the reduction of ransomware cases in number compared with previous years.

Private business

In early November 2019, targeted ransomware attacks knocked out two Spanish businesses within a day: the extensive IT services and consulting firm Everis, owned by NTT Data Group, and the Sociedad Española de Radiodifusión (Cadena SER) radio company.

However, RaaS hacker groups extorting money to unlock encrypted computers do not attack Russian companies. There are large enterprises in Russia that can pay a ransom of millions of dollars. But they could avoid ransomware attack as the criminals have agreed do not act in the RU zone.

Educational institutions

In late July 2019, the Louisiana state government declared a state of emergency following multiple ransomware attacks on schools. Cyberattacks have blocked information on school computer networks in three districts. The attacks on US schools, colleges, and universities were continued in 2020. University of California San Francisco (UCSF) and The University of Utah had their data stolen and encrypted. UCSF has hired cybersecurity consultants to investigate the incident and is working with the FBI. University claims students’ sensitive information has not been damaged.

Government structures

More than 100 government bodies in the United States were attacked by ransomware in 2019. The most significant events were the US Coast Guard base attack and ransomware attack on government agencies in New Orleans. 

The US Coast Guard base was attacked by malware that disabled cameras, door access control systems, and monitoring systems.Also, cybersecurity specialists indicated extensive attacks against retailers, manufacturing, and transportation companies. 

All of them own large amounts of monetized data or rely on outdated technologies and, as a result, are at risk. In most parts of attacks, criminals exploited Windows Server Message Block vulnerabilities. The experts also noted the close relationship between ransomware and banking Trojans. The reason is that Trojan viruses open doors for targeted and highly profitable ransomware attacks. This explains the ransomware deployment.

Medical facilities

At the end of August 2019, hundreds of dental clinics became victims of a malware attack in the United States. Clinics had to pay a ransom to decrypt the files, but the recovery process was slow. The dentists were in forced outage due to blocking of their computer systems for several days. A malware was embedded in the infrastructure of the DDS Safe service, designed to store and back up medical records.

In mid-September 2020, a ransomware attack killed a person for the first time. After a ransomware attack on a German hospital software, patients had to be transferred to another medical facility. One of the sick persons died due to transportation.

Ransomware Attacks in 2020

Ransomware Attacks 2020

Different ransomware malware mainly targets large organizations but is used to attack both small and large-scale businesses. A vivid example is September’s attacking K-Electric, which is one of the significant Pakistan power providers. The company serves over 2 million customers and has more than 10,000 employees. The group requested almost $4 million.

In early July, the Maze hacker group had hacked into Xerox’s IT systems. They threatened to put personal data in the public domain and demanded a ransom from the company. Xerox branch in Europe, possibly in London, was hacked, and the ransomware operators gained access to the company’s servers. This allowed them to steal several financial documents and information from a user database.

Also, in July, Garmin Ltd. became a victim of a ransomware attack. The manufacturer of navigation appliances paid the cybercriminals a ransom of $10 million to restore all services’ operation. The attack is known to have affected hand-held gadgets and associated services. Also, flyGarmin and Garmin Pilot solutions designed to support Garmin’s aviation navigation products were stopped. The company was allegedly a victim of cybercriminals who used the WastedLocker ransomware. Cybersecurity experts associate it with the Evil Corp hacker group. It became one of the most infamous ransomware attacks in 2020.

In mid-August, the world’s biggest cruise operator Carnival fell victim to ransomware, leaving customer data to the hackers. The company discovered the cyberattack on the same date. 

Anonymous malware operators partially encrypted the systems and downloaded one brand information files. Carnival did not disclose which brand was affected. The company operates brands such as Costa, P&O Cruises, Carnival Cruise Line, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn. The stolen data included guests’ and employees’ personal information, leading to potential lawsuits from them.

Нow to Prevent Ransomware?

Ransomware protection.

In today’s environment, users must recognize that threats can come in many forms. They can use the most advanced techniques to penetrate the corporate network and infect computers and servers. Therefore, we are not talking about the development of protective mechanisms for a specific threat, but about developing a comprehensive defensive strategy. It will allow the ransomware definition and its avoidance.

It helps to analyze all processes occurring in the systems and act before the risk can exploit any potential vulnerability paralyzing the enterprise. This way, the importance of a highly-advanced antivirus solution is highly underestimated. In this regard, the Eset antivirus review would be interesting to all users seeking robust and reliable ransomware protection.

Several essential tips to protect your computer from ransomware:

  • Keep all your systems and applications up to date. Most attacks are successful because systems are not kept up to date, so the attack exploits security vulnerabilities.
  • Be careful with Remote Desktop Connection. Most ransomware penetrates operating systems via RDP (Remote Desktop Protocol). Use a VPN and two-factor authentication to prevent this.
  • Use zero-tolerance to phishing messages. If the sender is unknown, recipients should not open attachments or follow links.

Besides, there is a remote backup. Many types of malware destroy backups on systems or devices. To avoid the worst possible consequences, it is vital to have backups stored remotely with no access.