University After University, NetWalker Operators on a Ransomware Attack Spree

Over the last week, the NetWalker hacking group has been targeting colleges across the US and threatening them to release confidential data if their ransom demand is not met. Attackers are increasingly impacting educational institutions not only for ransomware payments but also for COVID-19 related research.

What’s with the colleges?

  • On May 28th, NetWalker breached Michigan State University and threatened them to publicize the stolen data if a ransom was not paid. The ransom demand was not met, which prompted the ransomware operators to publicly release the institution’s data including screenshots showing file directories, financial documents, and a passport scan stolen from the university’s network.
  • By attacking Columbia College of Chicago, the NetWalker group added one more college to its list of victims. The hackers alarmed the college about selling the stolen data, comprising students’ private information like social security numbers, on the dark web markets.
  • Allegedly, the NetWalker hacking group has attacked the University of California San Francisco (UCSF), stealing unencrypted data and encrypting their systems as reported on June 3rd. As part of the UCSF breach, the hackers have published screenshots of the stolen files on their data leak site, which include students’ social security numbers, a spreadsheet, and folders containing employee information, financials, and medical studies.

NetWalker, bigger than it appears

  • The ransomware started its operations as “Mailto” in 2019 and later in February 2020, it renamed itself to NetWalker.
  • NetWalker is known to target exposed remote desktop services and obtain access to organizations’ networks to steal unencrypted files before encrypting their systems.

Before the attacks on educational institutions

  • The NetWalker hacking group attacked Toll Group, an Australian transportation and logistics company, encrypting its systems across several sites and business units in February 2020.
  • In March 2020, various hospitals in Spain were attacked, luring victims with information on COVID-19 through phishing emails enclosing malicious PDFs. These PDF files led to the installation of the NetWalker ransomware.

Wrapping up

Looking at the recent victims, which were all academic institutions, the attacks may point out a vulnerability in exposed remote desktop servers or a widely used application or device. Universities must ensure that they patch their systems properly, filter their emails, disable PowerShell when not required, and use multi-factor authentication.