Google is warning users of an increase in government-sponsored phishing attacks using NetWalker ransomware during the COVID-19 pandemic
With people all over the world spending their days self-quarantining and adhering to social distancing guidelines as a result of the Coronavirus, cyber-criminals have used this unprecedented historic event to take advantage of unsuspecting victims as they spread new variants of ransomware via a series of aggressive Coronavirus phishing campaigns.
One of these ransomware variants is NetWalker ransomware.
Telecommuters, businesses, government entities and health organizations have all been reported to have been victimized by NetWalker attacks.
Two widely reported instances involving NetWalker were carried out against the Toll Group, an Australian transportation and logistics company, and the Illinois Champaign-Urbana Public-Health District website, which temporarily prevented their employees from accessing important files and data. The latter attack was serious enough to force the FBI and the Department of Homeland Security to step in.
Netwalker Ransomware is a file-locking Trojan that is a variant of a threat that was first spotted in 2019 called Mailto Ransomware. The hackers behind Netwalker Ransomware have increased their efforts during the Coronavirus outbreak, as have many other cybercriminals who have taken advantage of the frenzy surrounding COVID-19 to launch aggressive spear phishing campaigns.
Netwalker Ransomware Propagation and Encryption
The Netwalker Ransomware appears to be utilizing spam emails that claim to host an important document that needs to be reviewed urgently. The name of the attached file is ‘CORONAVIRUS_COVID-19.vbs.’ This is a Visual Basic Script file that is designed to look like a genuine, harmless document file. If the targeted user opens the malicious VBS file, they will trigger the execution of the Netwalker Ransomware.
Once the Netwalker Ransomware is executed successfully, it will begin the encryption process. This means that all the data present on the user’s system – documents, images, presentations, databases, archives, audio files, spreadsheets, videos, etc. – will be locked with the help of an encryption algorithm. After the encryption process has been concluded, the affected files will no longer be usable.
Most ransomware threats tend to append a fixed extension to all the locked files. However, the Netwalker Ransomware takes a different approach. This data-encrypting Trojan generates a unique extension for every victim. According to researchers, in the case of the Netwalker Ransomware, there are no limitations characters-wise when it comes to generating an extension.
The Ransom Note
The Netwalker Ransomware will drop a ransom note on the users’ computer to let them know what has happened to their systems. In the ransom message, the attackers state that there is no way out of this situation unless the victim decides to pay the ransom fee demanded.) There is no mention of a specific ransom fee, so it is likely that the sum will be calculated individually for each victim. The authors of the Netwalker Ransomware ask the user to download and install the TOR browser in order to access their site, which contains further information and instructions.
Your files are encrypted.
All encrypted files for this computer has extension: .1401
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised,
rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you,
it could be files on the network belonging to other users, sure you want to take that responsibility?
Our encryption algorithms are very strong and your files are very well protected, you can’t hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover.
We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned.
Unfortunately, there are currently no known weaknesses in the ransomware. That fact is making it extremely difficult for security researchers to create a public decryption tool. In any event, victims are always urged not to pay the ransom demand. There is no guarantee that the hackers will restore the files as they promise, or that the computer won’t get infected again in the future.
With cybercriminals taking advantage of significant news events like the Coronavirus pandemic, everyone should be more vigilant when it comes to suspicious looking emails claiming to have vital news and information, as there really are usually no obvious signs that an email may be carrying malware. And always remember to stick to official sources when looking for your news.