NetWalker (aka Mailto) ransomware, developed and operated by a cybercrime group known as Circus Spider, has been active since mid-2019. Since the past few months, its operators are actively targeting victims, mostly in corporate networks.
Actor's top targets
Lately, the NetWalker operators targeted several enterprises running systems on Windows OS.
- This group’s activity increased during the coronavirus pandemic, which was directed at the healthcare sector.
- Notable victims include Lorien Health Services, Champaign-Urbana Public Health District, The Center for Fertility and Gynecology, Crozer-Keystone Health System, and several others.
- Besides healthcare, the ransomware had been used to target various firms in manufacturing (Canadian Tire), business management solutions (Barbizon Capital), customer experience management (Stellar), electromobility and battery solutions (Forsee Power), education (University of California), and many more.
- The group behind this ransomware operates in a ransomware-as-a-service model and can quickly adapt according to recent situations (as they evidently took advantage of the coronavirus pandemic.)
- In late July, the group was found exploiting CVE-2019-11510 and CVE-2019-18935 vulnerabilities.
- Earlier in May, the group was observed to be using Reflective Dynamic-link Library (DLL) injection to infect victims.
Affiliations and partnerships
The cybercrime group behind this ransomware identified as Circus Spider, a financially motivated threat group. At the end of May, the ransomware group was reportedly inviting other criminals to become a partner in spreading the ransomware. They were giving preference to those who had cybercrime experience and access to corporate networks.
Netwalker ransomware is using a double attack strategy, first encryption of data and then blackmailing victims to leak it publically. Experts suggest the most efficient way to avoid this threat is to stop the ransomware at the initial stage with adequate security measures, such as using secure email gateways, endpoint protection, and providing training to employees.