Ransomware Recovery Tales: The Battle of Netwalker
Netwalker is a ransomware variant that has grown in popularity in 2020. This reflects the continued rise of Ransomware as a Service (“RaaS”), a business model that allows threat actors to deploy, and profit from, ransomware without the need to build or manage the underlying infrastructure.
MOXFIVE has found threat actors utilizing the Netwalker RaaS to be both opportunistic and effective at infiltrating and encrypting networks of varying sizes, however the observed trend is targeting medium to large organizations, between 500 and 10,000 systems. The threat actors’ tools and techniques vary between incidents, but the constant is their understanding of how to overcome defenses and gain footholds within environments before deploying the Netwalker ransomware. Additionally, the threat actors have been known to steal information from the victim network and release on a dark web site if the ransom is not paid within a certain timeframe, another alarming trend for many ransomware groups. This introduces a compounding risk to organizations who fall victim to these breaches beyond data loss and recovery costs.
MOXFIVE has observed Netwalker threat actors leverage multiple methods to gain initial access into a victim environment, from emailing malicious documents as attachments to exploiting internet facing firewalls with known vulnerabilities. Information security best practices such as patching all vulnerable systems, especially external facing systems, and providing security awareness training for end users, is critical and has one of the largest impacts in reducing the attack surface.
The threat actors associated with Netwalker ransomware have varying levels of success at reconnaissance, lateral movement, and persistence. While responding to Netwalker infections, MOXFIVE has assisted in the containment and mitigation of toolsets such as Cobalt Strike and Metasploit being used for both lateral movement and persistence. While these toolsets are advanced in nature of capability, once the malicious tool have been identified it allows for a clear process forward with containment. Contrarily, we have also seen threat actors utilize methods of reconnaissance and lateral movement often used by the IT teams of the organizations we are trying to help recover from the impact of ransomware, such as Remote Desktop Protocol (“RDP”) or free network scanning tools such as Nmap or Angry IP Scanner. Understanding proper containment without hampering recovery efforts is a balancing act that we have perfected during our many recovery successes. Additionally, MOXFIVE has observed Netwalker threat actors encrypt system backups to increase the chances of ransom payment for the decryption tool. However, not all threat actors are successful in impacting backups, either on-premise or stored in the cloud. This avoids the need to pay the ransom as well as reducing the Recovery Time Objective, the amount of time from initial impact to full business recovery.
With the uptick of RaaS, including Netwalker, it is increasingly important to have a viable and resilient backup plan that protects backups from being encrypted or deleted, especially given the expansive nature of tools and tactics.
Netwalker Recovery Case Study
MOXFIVE has helped many organizations recover from Netwalker ransomware incidents, and in doing so developed a streamlined recovery process for Netwalker attacks. In one instance MOXFIVE assisted with the recovery of an environment where 70% of the environment was impacted, which amounted to approximately 700 impacted servers & 3,000 impacted workstations. While the threat actor was successful in performing many activities across the ATT&CK matrix lifecycle, including utilizing an advanced toolset called Cobalt Strike to spread and maintain access within the environment; they were thankfully unsuccessful in impacting server backups. In many Netwalker attacks, the threat actors successfully delete or encrypt enterprise backup solutions that were not isolated from the network.
When determining the current state of infrastructure critical systems, it is important to take a close look at Domain Controllers (“DCs”) for identifying possible impact. MOXFIVE has found that while Netwalker does not impact certain services, such as Active Directory (“AD”) authentication or DHCP, the Netwalker ransomware will encrypt the SYSVOL directory on a DC causing Group Policy Objects (“GPO”) to break. This has a cascading impact as GPOs can often be used for containment or recovery efforts. Thankfully for the organization here, MOXFIVE was able to recover AD from backup and restore all services to a healthy state in a short amount of time. Had backups been impacted, MOXFIVE would have explored other options, such as leveraging a decryption utility, had it been necessary to acquire, or attempt to rebuild AD in the most efficient way possible.
During any ransomware event, application servers (e.g. Microsoft IIS, MSSQL) tend to be impacted to a greater degree than other systems, often requiring specialists such as MOXFIVE to come in and properly restore functionality. The Netwalker ransomware variant modifies file extensions with random characters. For application servers, the running services can sometimes recreate new blank files, which then, break the dependent services. In our case study, the organization needed assistance in restoring mission critical MSSQL servers that unfortunately had corrupt backups. The data was deemed critical and the organization opted to acquire a decryption key. MOXFIVE assisted in decrypting the data and addressed the configuration issues to restore functionality of the servers in 48 hours.
Workstations did not fare as well as the servers in this attack. The Netwalker executable has a function in its code to find and delete the Volume Shadow Copy on Windows systems to prevent the IT team or administrator from restoring from the built-in Windows backup service. This is the most common backup method that organizations use for workstations. Approximately 3,000 workstations were encrypted during the attack. Due to the decryption utility already being acquired, MOXFIVE automated the decryption process to decrypt the vast majority, 2,900 workstations, in three days.
With MOXFIVE’s assistance, the organization was able to restore 95% of all operations in less than two weeks.
Netwalker, like all RaaS, is a troubling development in the evolution of financially motivated threat actors’ capabilities. The downtime and data loss impact on organizations, in addition to the attackers’ ability to hold stolen data hostage, is an impactful combination. Expect to see a growing number of ransom payments and higher ransoms, until the defenders catch up with this trend. Investing in protective measures that mitigate the attacks, and in technology and skillsets to rapidly recover from those incidents better positions companies to mitigate negative outcomes.
For those that do find themselves as an unfortunate victim of a Netwalker ransomware attack, our objective for this blog is to shed light on the tactics the threat actor uses as well as useful lessons for recovery. Recovery speed is critical with every enterprise ransomware attack. With MOXFIVE’s recovery playbooks, we assist organizations in scaling recovery efforts to reduce downtime and restore operations.