An investigation led by the FBI’s Tampa field office culminated in a NetWalker ransomware affiliate indictment, the NetWalker leak site on the Darknet being disabled, and nearly $500,000 USD in cryptocurrency seized. NetWalker ransomware began in late 2019 and has attacked companies in nearly every industry, most recently targeting the healthcare sector. Developers of NetWalker create and update the ransomware while affiliates identify and attack high value victims. The individual charged is a Canadian national alleged to have obtained more than $27.6 million USD in ransom payments from victims while working with the NetWalker gang. The investigation was assisted by the Bulgarian National Investigation Service, who was responsible for seizing the dark web site used by NetWalker.
Ransomware attacks surged in 2020 as they exploited companies moving to remote work and the healthcare industry responding to the COVID-19 pandemic. Law enforcement agencies are looking to push back against the cyber criminals in 2021. Special Agent in Charge Michael F. McPherson of the FBI’s Tampa office stated, “This case illustrates the FBI’s capabilities and global partnerships in tracking ransomware attackers, unmasking them, and holding them accountable for their alleged criminal actions.” Even with the FBI’s recent success, ransomware attacks are still a significant threat. To prevent data loss, it’s important to maintain offline, encrypted backups of data and to regularly test them. Backups should be taken at regular intervals to ensure minimal data-loss if they are ever needed. Create and maintain an incident response plan that includes response and notification procedures for a ransomware incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through unsecured Internet-facing remote services or phishing. When an attack makes it through the outer layers of defense, it is important to have a third-party monitoring services such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.