As an aside, I would be remiss if I didn’t point out that the suspect is actually from Gatineau, Ottawa’s neighbour to the north and home of our CTO Jacques Latour…but I digress.
Back to the story. NetWalker has been around for a while, and was created by a cybercrime group known as Circus Spider. In order to increase distribution, they moved their software to a web services model whereby they took a cut of every “transaction” rather than be the direct perpetrators of the crime. They posted a job looking for affiliates who had experience and access to networks. Just like a traditional job interview, they needed proof of competence and posted what successful applicants would receive for being hired.
The affiliates—or as mainstream media likes to call them, thieves—then use primarily phishing emails to target high-value organizations and install the malware. Some reports had indicated that healthcare institutions and COVID-19-related organizations were among the prime targets because they are typically understaffed in cybersecurity and have IT departments that are more designed to support health outcomes than network management.
To add even more alleged criminality to the story, the Canadian implicated in the crime has a history of drug trafficking offences. Krebsonsecurity cross-referenced the name to a drug charge in the same region for possession of more than 50,000 methamphetamine tablets. While we can’t confirm the relationship, the connection between organized crime and cyber-crime has been well documented.
So what should you do? As always, we recommend a defence-in-depth posture that puts layers of defence on the endpoint, the network, and outside the network in the cloud with something like CIRA’s DNS Firewall. Since these attacks are typically distributed via phishing attempts, particularly spear phishing, we recommend that users are well trained to spot these types of scams. And not just spot them, but to report them to the IT department. In this way, they aren’t just “risks to mitigate” but, in fact, intelligent parts of your network’s defence.
This is especially critical in this instance because the hacking organization wants people who can spear phish high-value targets and not simply mass spam people and have those emails get caught in the mail filters. Why this matters is because it works. I have spoken with CIOs who have accidentally clicked on these types of malicious links when they were busy or distracted. If they are at risk, then think about those who’s job isn’t to know better.
This illustrates the benefit of having individuals in your organization report malicious emails and links so the IT team can block them. In a spear phish scenario, these links and emails may not already be part of mass block lists. The fact that this ransomware has caught very sophisticated organizations means that the payload is not being caught by their other layers of security.
In CIRA’s case, users of the CIRA Cybersecurity Awareness service can teach and test their employees to recognize malicious content with templates that are designed to trick (Canadian) users.