Threat Watch

Netwalker Ransomware Operators Targeting Universities

Netwalker: The operators behind the growing ransomware Netwalker have posted data online as proof of their latest victim being the University of California San Francisco (UCSF). UCSF is focused primarily on health and sciences and is ranked as one of the top medical schools for research in the United States. Over the past week, multiple colleges have been hit by the Netwalker ransomware such as Michigan State University and Columbia College of Chicago. The group is now threatening to release the stolen files from the attack if the college does not pay the ransom. Sample data that the group posted online included UCSF application forms which clearly show the student’s personal information with their Social Security number, employee information, medical studies, and financials. UCSF has not replied for comment at the time writing.

ANALYST NOTES

Netwalker has been making a name for themselves after being rebranded in February 2020 from their original name Mailto. A steady stream of victims has been claimed by the group in their announcements and not all have been universities. The ransomware has targeted exposed Remote Desktop Services in the past to gain initial access to enterprise networks. Once the operators have access to the network, they will expand their access to as many workstations and servers as they can to steal sensitive files before encrypting the devices. Because of the most recent attacks on universities, it could point to a significant vulnerability in a commonly used software or application within universities. Because of the most recent trend in ransomware of selling or leaking stolen data or files if the ransom is not paid, backups sometimes cannot be enough to fully protect a victim, though regularly scheduled and tested backups are still the most important practice for recovery. With budget cuts and traditional ways of schooling being altered over the past few months, many people feel the need to cut down on spending within their organizations, and often cuts for security come first. Attacks like these show how imperative it is to continue proper security measures to protect organizations, because recovering from an extensive attack can be far more costly than the security services that would have prevented the attack. A service such as Binary Defense’s Managed Detection and Response or SIEM monitoring can identify these attacks and stop them from moving throughout an entire network, minimizing the damage and the leverage an attacker may gain over their victim.

More can be read here: https://www.bleepingcomputer.com/news/security/netwalker-ransomware-continues-assault-on-us-colleges-hits-ucsf/?&web_view=true