NetWalker Ransomware Targets Philadelphia Health System
I. Targeted Industries
- Higher Education
- Electric Companies
- Financial Institutions
A large health care provider in Philadelphia was recently the target of a malware attack.  This attack has been claimed by the threat actors responsible for the NetWalker Ransomware. The Crozer-Keystone Health System was the victim of this attack, and although their Information Technology department took swift action to isolate and remediate impacted systems, they were still breached. Their information is currently being displayed on the threat actors’ blog page. The NetWalker malware is expected to continue targeting more organizations in the form of Ransomware as a Service (RaaS). Currently, they are known to have targeted Michigan State University, the University of California, San Francisco, and the Northwest Territories (NWT) Power Corporation, all within a two-month time frame.
III. Background Information
Infamous for exfiltrating and encrypting data for ransom, the NetWalker “Mailto” ransomware gang targets large corporations, education, and healthcare systems. After the gang’s successful infiltration of the Crozer-Keystone Health System, it is now auctioning the stolen data through its darknet website with bitcoin payments, allowing the health system only 6 days to pay the ransom.
Back in May, Cyber Florida’s security analysts reported on a COVID-19 phishing campaign using the NetWalker Ransomware.  Almost a month later, NetWalker is using the same tactics to steal financial data from a hospital system in Philadelphia. NetWalker uses an obfuscated PowerShell loader script and orchestration tools that use domain controllers to distribute the malware to any machine the domain controllers touch. While payloads are being executed, the ransomware makes an API call to assign and adjust certain privileges, such as SeDebugPrivilege and SeImpersonatePrivilege within its process. It then begins encrypting files on the victim’s local system using Windows system calls, NtQueryInformationFile, and NtSetInformationFile. After encryption, the files are renamed to contain the word “Malito” and the user finds a ransom message.
- Scheduled Backups
Back up data regularly and store externally.
- Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Incorporate Known IOCs into IDS
Incorporate the known IOC of the malware into your intrusion detection system to catch any suspicious behavior related to the malware.
- Turn on Attack Surface Reduction Rules
Include rules that block credential theft and ransomware activity.
- Patch Updates
Update consistently and patch vulnerabilities.
- Recommended Link: https://www.us-cert.gov/Ransomware
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Drees, Jackie. “Ransomware Group Auctions Crozer-Keystone Health System Data on Darknet: Netwalker, a Ransomware Operator That Threatens to Publish Data Online If Ransoms Aren’t Paid, Hacked Springfield, Pa.-Based Crozer-Keystone Health System and Is Auctioning off Its Data Online, According to Cointelegraph.” Becker’s Hospital Review, June 22, 2020. https://www.beckershospitalreview.com/cybersecurity/ransomware-group-auctions-crozer-keystone-health-system-data-on-darknet.html.
(2) Erazo, Felipe. “Ransomware Gang Auctions Off US Healthcare Data for Bitcoin.” Cointelegraph. Cointelegraph, June 19, 2020. https://cointelegraph.com/news/ransomware-gang-auctions-off-us-healthcare-data-for-bitcoin.
(3) Lyngaas, Sean. “Philadelphia-Area Health System Says It ‘Isolated’ a Malware Attack.” CyberScoop. CyberScoop, June 19, 2020. https://www.cyberscoop.com/crozer-keystone-cyber-attack-netwalker-ransomware/.
(4) “NetWalker ‘Malito’ Ransomware.” Cyber Florida, May 28, 2020. https://cyberflorida.org/2020/05/28/netwalker-malito-ransomware/.
(5) Robinson, Teri. “NetWalker Claims Credit for Attack on Crozer-Keystone Health System.” SC Media, June 20, 2020. https://www.scmagazine.com/home/health-care/netwalker-claims-credit-for-attack-on-crozer-keystone-health-system/.
(6) Swee Lai Lee, Ac. “Threat Analysis Unit (TAU) Threat Intelligence Notification: MailTo (NetWalker) Ransomware.” VMware Carbon Black, February 7, 2020. https://www.carbonblack.com/2020/02/07/threat-analysis-unit-tau-threat-intelligence-notification-mailto-netwalker-ransomware/