Coronavirus phishing attacks continue: now deliver Netwalker ransomware

by Julie Splinters - - 2020-03-23

The overworked members of the healthcare sector are being targeted with coronavirus-themed phishing emails

Netwalker ransomware delivered via phishing A new phishing campaign uses coronavirus crisis to infect healthcare providers with Netwalker ransomware

Due to the COVID-19 pandemic worldwide, the healthcare sector has been under huge stress for a while now, lacking medical equipment and struggling with a shortage of bed spaces in hospitals. If that would not be enough, some cybercriminals ignore the global crisis and instead target healthcare providers with malware for financial gain.

It seems like Netwalker ransomware developers do not care about the global crisis, and only want the money despite the difficulties that the health sector is currently facing. While the body text of the email could not be detected, the head of cybersecurity firm SentinelLabs, Vitali Kremez, said on Twitter that the attackers are delivering malicious attachments that incorporate the Netwalker ransomware:^[1]

[Insight] Another Ransomware Extortionist Group “#NetWalker” Spotted Attacking Healthcare AND Leveraging #CoronaVirus Phishing Lures

Coronavirus-themed phishing has increased worldwide due to the natural public interest in the pandemic, and cybersecurity experts, as well as government institutions like CISA, issued^[2] multiple warnings about the increasing number of attacks related to COVID-19 outbreak. Crooks have been impersonating World Health Organization with fake donation requests, a fake pandemic heat map was found to run AZORult baking trojan in the background, and much more.

The malicious “CORONAVIRUS_COVID-19.vbs.vbs” file used to launch malware on the system

In the new targeted phishing campaign, Netwalker ransomware gang are using attachments with an embedded script and executable. The attachment is called “CORONAVIRUS_COVID-19.vbs.vbs” – it extracts a “qeSW.exe” file and places it into Temp folder. The malware will then insert a malicious code into Windows Explorer via the built-in API – this capability is known as process hollowing. Netwalker will then perform other necessary changes that are typically used by ransomware, such as deletion of Shadow Volume Copies, termination of anti-malware software, modification of Windows Registry, etc.

When preparations are complete, Netwalker ransomware will encrypt all data located on the local and networked drivers, appending a custom string to each of the files. As a final process, malware will deliver a ransom note [extension]-Readme.txt, which explains that a ransom should be paid in order to retrieve the encrypted files.

There is no decryption software currently that would be able to recover Netwalker-encrypted files and, although data can be recovered from backups, ransomware infection can create major disruptions for hospitals and all the parties dealing with the crisis. To make matters worse, some cybercriminal gangs steal sensitive data during the infection and publish it online if the ransom is not paid on time.^[3]

Netwalker was responsible for other attacks on healthcare sector

Amid a global pandemic, some well-known cybercriminal gangs behind such strains like Maze ransomware and DoppelPaymer claimed that they would not attack hospitals and other organizations dealing with the COVID-19 crisis.^[4] They claimed that, in the case of unintentional infection, decryption keys would be provided for free. However, not all groups are reliable – actors behind Netwalker continue trying to infect the healthcare sector despite the outbreak.

Netwalker ransomware,^[5] previously known as Mailto ransomware, was first spotted in September 2019, and now mainly targets government institutions and organizations worldwide. Earlier this month, Champaign Urbana Public Health District (CHUPD) in Illinois was hit by the Netwalker gang – the organization had to set up an alternative website to provide the regular functions.^[6]

Without a doubt, ransomware attacks can significantly disrupt the operation of hospitals as well as the supply chains that manufacture and deliver the much-needed equipment (masks, hand sanitizers, respirators, etc.). Even if certain cybercriminal gangs promised to stop malicious activities at this hard time, there are hundreds of other groups that will be willing to abuse the COVID-19 pandemic for personal gain, so IT staff should be extremely vigilant.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Vitali Kremez. [Insight] Another Ransomware. Twitter. Social Network.
^ Defending Against COVID-19 Cyber Scams. CISA. Cybersecurity and Infrastructure Security Agency.
^ Sergey Golubev. Backing up is no panacea when blackmailers publish stolen data. Kaspersky daily. Security blog.
^ Davey Winder. Hackers Promise 'No More Healthcare Cyber Attacks' During COVID-19 Crisis. Forbes. American business magazine.
^ Linas Kiguolis. Remove Netwalker ransomware (Easy Removal Guide) - Recovery Instructions Included. 2-spyware. Cybersecurity news and articles.
^ Shaun Nichols. Fresh virus misery for Illinois: Public health agency taken down by... web ransomware. Great timing, scumbags. The Register. Sci/Tech News for the World.