Netwalker Ransomware vs X-PHY®

What is Netwalker Ransomware?

With the world continuing to suffer from the COVID-19 crisis, cyber-criminals are taking advantage of the situation to spread new variants of ransomware via related topics of phishing campaigns. Amongst all, Netwalker which is also known as MailTo is the most aggressive. It has been reported to reap more than 25 millions in ransom payments within 6 months from March 2020.

Netwalker ransomware is developed and operated by a cybercrime group, “Circus Spider” in 2019. They also maintain a blog on the Darknet to publish information about the new victims alongside a countdown to the deadline for the ransom to be paid. In early 2020, they attacked around 1000 servers at the Australian Transport company Toll Group. As a result, the company advised all the staff working worldwide to disconnect from the corporate network and turn off their electronic devices completely to protect from the ransomware attack. The cyber security team also locked all the systems across multiple sites and business units.

Besides, Netwalker also targets the universities that do the Covid research in collaboration with the government. Due to its sensitivity, they can claim higher ransom from it. According to the Bloomberg report, University of California San Francisco was one of the victims of the cyber attacks that happened among the covid research institutions. Along the list, the Columbia College of Chicago and Michigan State University were their targets too.

How does Netwalker Ransomware work?

Most network hacking specialists used this ransomware to attack the corporates, that is why it was called Netwalker. It is used as “Ransomware-as-a-Service (RaaS)” where people can send it, share it and earn 80% of the revenue from the attack. It encrypts all the files in just one minute and in the ransom note, the hacker adds the instructions to follow on how to get the data back by paying some ransom. All the files are renamed with the email to contact. It runs mostly on the dark web which can be accessed by the most private and three layer encrypted anonymity browser called Tor browser.

Here is a summary of how the ransomware works :

Step 1: Phishing and Infiltration The attacker targets the company’s employee and initiates to send spam emails which contain the phishing link. It uses the embedded configurations that have ransom note, ransom note file names and various configuration files.

Step 2: Data Exfiltration and Encryption The Netwalker can spread via the network through an Office document such as ‘Word’ or ‘Excel’ that contains macros (a series of commands and instructions that you group together as a single command to accomplish a task automatically) that will execute the ‘VBS’ script, the attacker attaches it in the phishing email mentioned in step 1 and once the receiver opens it, the ransomware starts to execute.

The nefarious fact about this ransomware is that it is classified into the newer class of malware as it has the potential to spread to all the hosts and exploit the same window network once the execution is successful. It encrypts the data in all the attacked hosts within the network after the execution.

Step 3: Data Extortion and Recovery (Or Loss) After gaining the access and encrypting the data, the screenshot of the stolen data and the countdown is shared in the Netwalker’s public shaming website in Tor Browser. The attackers demand the company to pay the ransom within a week to keep the data private and if they fail to do so, the data on the infected hosts are exposed online.

X-PHY® Protection Against Netwalker Ransomware

Flexxon tested the Netwalker ransomware on a X-PHY® SSD and a normal SSD to see the responses. In less than 5 seconds, X-PHY® stopped the attack dead in its tracks, locked all data keeping it untouched, and immediately notified the user via email and OTP.

Here are the screenshots of the results,
Scenario 1 : Testing without the X-PHY® protection/using normal SSD

1. Without X-PHY® protection and only relying on Antivirus protection.

2. Netwalker.exe is run and activated.

3. All data was compromised (Ending with .f608f9), and the PC could not boot up. It just showed the following pop-up screen.

4. Notepad created with instructions to follow on how to get the data back by paying some ransom.

Scenario 2 : Testing with X-PHY® Protection

1. The ransomware was detected within 5 seconds and the SSD was locked.

2. On locking the SSD, X-PHY® notifies the user via email that a ransomware attack has been detected and the device locked.

3. To unlock X-PHY®, the user will have to use connected duo authentication to unlock X-PHY®, otherwise, it remains locked. After unlocking, X-PHY® will have recorded all events in the event log, and the user can now access data in a normal way.

As attackers utilize more sophisticated attack techniques, it is becoming harder and harder for companies to stay ahead of the attacker’s techniques and keep their data secure from cyberattacks. That’s why we brought X-PHY® to you, it automatically detects suspicious behavior since it is highly trained with huge databases of malware to understand all possible behavior for malware.

 

X-PHY® AI core is placed closest to your data and is highly trained to protect you from any threat that can touch your data.

X-PHY® Response Flow

● X-FILE FORENSIC AGENT features ACTIVE DETECTIVE and DEEP INVESTIGATION introduce extra file protection features by preventing any illegal data modifications. They also record all activities and their application, making it easy for X-PHY® to identify suspicious actors.

● X-GUARD THREAT LOCK features SECURITY SCOUT and GUARDIAN PRO-X work together to stop any attempt by the ransomware to breach or clone your sensitive data.

● After noticing suspicious activity to breach and/or to encrypt user data, it will trigger X-FACTOR ENCRYPTION LOCK. KEYCODE 2-FACTOR feature within X-FACTOR ENCRYPTION LOCK locks down all the data in X-PHY® making it inaccessible to the ransomware.

● X-PHY® SSD sends notification to the user in their computer showing that ransomware has been detected. An email notification is also sent to the user simultaneously through the user’s registered email. The user will require OTP to unlock the SSD.

● X-PHY® records the attack activity in the event log, and will automatically stop any action with the same behavior in the future.

Share This On Your Favorite Social Media!