Netwalker Ransomware Hits Philadelphia Healthcare Firm
by Ryan Ozawa
Pennsylvania-based Crozer-Keystone Health System confirmed earlier this month that it was the victim of a malware attack. The attack took place in June, and its perpetrators were reportedly trying to auction off the stolen data to the highest bidder at the time.
The ransomware group is known as Netwalker, and is one of more than a dozen malicious hacking teams known for creating “data leak sites to publicly shame their victims and publish the files they stole.”
The FBI issued a formal warning about Netwalker and its tactics in July.
What patient data was involved?
“Based on the hospital’s ongoing investigation, we believe that no patient data was misused or made public and that no such data is at risk for future misuse or public disclosure,” company spokesperson Nina Kruse said in a prepared statement sent to the media. But she acknowledged that “certain health information, including lab testing information for some patients,” was involved.
The data does not include underlying clinical diagnoses, treatment, or other sensitive personal information, the company added, noting that it is contacting individuals whose information may have been compromised and offering additional resources.
How was the system compromised?
While Netwalker’s overall tactic is familiar—encrypting an organization’s data for a ransom—Earlier this year Netwalker “began exploiting COVID-19 fears by luring unsuspecting victims with pandemic related phishing emails,” the FBI explains.
SEE ALSO: Display Name Spoofing: A Solution
In addition to tricking victims with malicious emails, Netwalker takes advantage of security weaknesses in virtual private network (VPN) appliances, vulnerable user interface components in web applications, and weak passwords used for remote desktop protocol (RDP) connections.
According to the FBI, Netwalker “became widely recognized in March 2020 after intrusions on an Australian transportation and logistics company and a U.S. public health organization.”
In addition to health agencies, Netwalker has also attacked U.S. and foreign government organizations, education entities, and private companies.
What did Netwalker threaten to do?
Computer security professionals became aware of the attack or Crozer-Keystone when Netwalker posted screenshots of what it claimed were encrypted files from the Crozer-Keystone system. The “victim-shaming website” also included a countdown clock that gave the company six days to pay a ransom or else the data would be publicly released.
Independent analysis of the posted information suggested that “there appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients.”
How can we defend against these attacks?
The FBI does not suggest paying a ransom to criminal actors, which could encourage other attacks and does not guarantee that a victim’s data will be restored or kept private. But if a ransomware attack successfully disables a company, there are few remaining options.
Security experts agree that ransomware incidents should be treated as data breaches. The response to the incident should be similar, including everything from comprehensive prevention measures to following guidelines on prompt public and customer disclosure.
And since email remains the most common threat vector for these attacks, investing in a solution like Paubox Email Suite Premium is a great option for providing multi-layered inbound and outbound HIPAA compliant email security.