It isn’t entirely clear how the threat actors behind the Netwalker ransomware campaign gain an initial foothold into the networks they target, says Sophos, which “stumbled upon” a cache of tools used by the cybercriminals in late May. The British security firm added: “There are hints they take advantage of well-known, heavily publicized vulnerabilities in widely used, outdated server software (such as Tomcat or Weblogic) or weak RDP passwords.”
Sophos notes the Netwalker group’s use of a “comprehensive set of tools used to perform reconnaissance on targeted networks; privilege-elevation and other exploits… and utilities that can steal, sniff, or brute-force their way to valuable information (including Mimikatz, and variants called Mimidogz and Mimikittenz, designed around avoiding detection by endpoint security).”
In an archive of tools left on a server used by the group, Sophos also found a “number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools”.
It is unusual for an organisation to publicly admit paying a ransom. Security professionals typically warn that it can expose institutions to further attacks.
The UCSF said: “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates.
“We continue to cooperate with law enforcement, and we appreciate everyone’s understanding that we are limited in what we can share.”
See also: Grasping at Thin Air? Can Ransomware Criminals Actually *Be* Caught?